New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ['wss', 'ws'] in "Strip URLs for use in reports" allow-list. #533
Conversation
This is a follow-up to: w3c#527 (comment) This is needed, until browsers rewrite wss/ws URL in fetch before going through CSP: https://github.com/w3c/webappsec-csp Associated WPT PR: web-platform-tests/wpt#31702
++ @Rob--W FYI. |
As per my comment this doesn't work. If we want to change this just in CSP, which seems to be the safest option, we'd essentially undo the scheme change as part of "strip URLs for use in reports" (perhaps it ought to be named "prepare URLs for use in reports"), based on request's mode. |
efbedc4
to
dbac583
Compare
Sorry, I don't get why this doesn't work and what you would like to do. I have zero knowledge about WebSocket. Would you have a spec link about the scheme change you are talking about? I see request.mode can be "websocket": And the websocket connection obtain algorithm: Happy to abandon this patch or work on something else if you would like. Still, I believe I need to implement it in Chrome in order not to strip useful informations from ws/wss URLs for now. |
Okay, WebSocket schemes change in https://fetch.spec.whatwg.org/#websocket-opening-handshake (which is what To make the scheme change part of "strip URLs use in reports" you'd have to pass the WebSocket context along somehow. An alternative might be to change the URL earlier. |
I see! Thanks! So you would like:
IMO, inserting step 1 could be done independently from this patch. I can land this patch if you want, or we can wait for someone to plumb the request-or-null toward this location. The second option sounds like non trivial amount of work, so I don't believe I will be able to spent this time. |
If you flip the order of 1 and 2, this PR doesn't have to land and you don't need the proposed 1a either. |
Yes, that's a way to see this. So I guess I have to abandon this ;-) |
This is a follow-up to:
#527 (comment)
This is needed, until browsers rewrite wss/ws URL in fetch before going
through CSP:
https://github.com/w3c/webappsec-csp
Associated WPT PR:
web-platform-tests/wpt#31702