Re: [w3ctag/design-reviews] Question: Using Cross-Origin-Resource-Policy to enable compression dictionary support for opaque responses (Issue #1203) from Patrick Meenan on 2026-03-17 (public-webapps-github@w3.org from March 2026)

From: Patrick Meenan <notifications@github.com>
Date: Mon, 16 Mar 2026 19:01:36 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/1203/4071822295@github.com>

pmeenan left a comment (w3ctag/design-reviews#1203)

Correct. It's less likely for the delta-update case since the dictionary would likely be fetched the same way as the resource being compressed so it would be most likely to happen if you fetch a stand-alone dictionary with `<link rel=compression-dictionary...>` (or the header version) which defaults to crossorigin=anonymous and then used the dictionary for resources that are fetched no-cors.

Today that will not generate an `Available-Dictionary` header for the no-cors requests so it's currently safe to always assume if you see the header that the client will successfully decompress.

If we ever want to add no-cors support, now is probably the best time to do it without having to use a completely different negotiation so that developers will see the decoding fail if they don't include the CORP header as well (with appropriate error messages in dev tools).

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/1203#issuecomment-4071822295
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/1203/4071822295@github.com>

Received on Tuesday, 17 March 2026 02:01:40 UTC