Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should foreign fetch work same-origin? #826

Closed
jakearchibald opened this issue Jan 27, 2016 · 7 comments
Closed

Should foreign fetch work same-origin? #826

jakearchibald opened this issue Jan 27, 2016 · 7 comments
Milestone
Version 2

Comments

@jakearchibald
Copy link
Contributor

If I register a SW with scope /, let it install, and activate, but do not refresh so my page remains uncontrolled, will a subresource request for /foo go through the foreign fetch handler of the new worker?

What if I shift-reload the page to avoid this page being controlled?
@mkruisselbrink
Copy link
Collaborator

That's an interesting question. Fetches from that SW should definitely not go through its own foreign fetch handler, so at some point we'd need to somewhat special case same origin foreign fetch. I'm not sure about request from same origin uncontrolled pages (or even same origin but distinct service workers). I think there is pretty much three options:

  1. same origin requests from (uncontrolled) clients do go through the foreign fetch handler, and requests from distinct same origin service workers do as well
  2. same origin requests from (uncontrolled) clients do go through the foreign fetch handler, but request from any same origin service worker do not
  3. no same origin requests will ever go through the foreign fetch handler

I think of these options maybe 3. would be the least confusing?

@jakearchibald
Copy link
Contributor Author

I guess it comes down to how distinctly we'd want to consider distinct apps that exist on the same origin. Eg github pages, and well, Google.com

@annevk
Copy link
Member

annevk commented Jan 27, 2016

Ah, more joyous fallout from scope. I think we should only consider it for cross-origin. If you want multiple apps on an origin and enable foreign fetch, use some future technology such as suborigins.

@mkruisselbrink mkruisselbrink modified the milestone: Version 2 Apr 12, 2016
@delapuente
Copy link

I see the point on going against this feature as if we accept it, it would be like going against the need of having two different events (as you could reimplement fetch on the top of same-origin foreign fetch). Maybe we should rethink if foreign fetch can not be simply a special case of fetch. I'm not talking at implementation level but at user level.

@mkruisselbrink
Copy link
Collaborator

I actually started out with using the same event for foreign fetch and fetch. But I think the need to deal with CORS like behavior (expose responses to explicit origins etc) is a good enough reason to have separate events, as it makes the API easier to use. And even with two separate events it's not that hard to share 99% of the code for both event handlers, and at least you have to be somewhat conscious about the fact that you're possibly exposing data cross origin.

@delapuente
Copy link

Then perhaps make sense to force foreign fetch to not handle same origin requests.

@mkruisselbrink
Copy link
Collaborator

Closing this issue as not handling same origin requests with foreign fetch is already what is specified (step 9 in Handle Foreign Fetch).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Version 2
Development

No branches or pull requests
4 participants
@mkruisselbrink @jakearchibald @delapuente @annevk