Re: [whatwg/fetch] Hide range values from no-cors cross-origin range requests (Issue #1936) from Yoshisato Yanagisawa on 2026-06-26 (public-webapps-github@w3.org from June 2026)

From: Yoshisato Yanagisawa <notifications@github.com>
Date: Fri, 26 Jun 2026 03:54:32 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1936/4808862333@github.com>

yoshisatoyanagisawa left a comment (whatwg/fetch#1936)

From a Service Worker perspective, this is an understandable change to prevent XS-Leaks. However, I believe this behavior can be highly confusing to web developers because they generally assume that subresource requests will be intercepted by Service Workers by default.

The existing skip cases, such as the "serviceworker" script itself or the "webidentity" destination, are easy to justify for infinite loop prevention and user privacy. Bypassing the Service Worker for XS-Leak prevention on same-origin/cross-origin media requests, however, can feel very counterintuitive. We will need to thoroughly explain the 'why' and the 'what' to the developer community, especially the requirement to explicitly use the crossorigin attribute to enable Service Worker interception.

CCing @monica-ch to heads up as the other Service Worker spec editor.


-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1936#issuecomment-4808862333
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1936/4808862333@github.com>

Received on Friday, 26 June 2026 10:54:36 UTC