-
Notifications
You must be signed in to change notification settings - Fork 35
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
If the FetchEvent returns the integrity value #71
Comments
We should also consider the foreign fetch case. If we think service workers are similar to servers, I guess requests reaching to the foreign fetch handler on the service worker shouldn't have the integrity value. |
This question may be better for the service worker spec repository @wanderview @jungkees @jakearchibald. The question is that if you have something like <script src='a.js' integrity='foo'>, and a service worker intercepts the request, in the fetch event should request.integrity = 'foo' ? Does the answer change if it's a foreign fetch interception? I'm not familiar with integrity and its security considerations so wanted to see what others think. |
I think the spec currently exposes this information. The FetchEvent just wraps the internal request with a DOM |
@wanderview Thanks a lot for you clarification, understand that. :) |
I don't have any objections for it. I think chromium can also implement it. |
yeah, I mean based on that, web-platform-test: fetch-request-resources.https.html is correct and should be passed, so let's do the further discussion in crrev.com/2941883003. |
I have one question: If SW does like e.respondWith(fetch(e.request)), I guess checking the integrity value happens on [1] and [2], and if the SW creates another request internally, it happens only on [1]. Is this right? |
In the case of Integrity checks are performed at step 19:
Following [2] arrives at 19.2 first, as [1] hasn't received a response yet. If the integrity check fails, a network error is returned, so [1] won't recheck integrity. If the integrity check succeeds, then [1] will recheck integrity when it lands on 19.2. I guess a conforming implementation could carefully optimise here and avoid duplicating this work. In the case of |
I am working a chromium fetch test issue, the test is to set a script.integrity, and then determine whether this integrity value and FetchEvent returned integrity value are equal.
My question is that if the spec require FetchEvent return this value? I didn't find that here https://www.w3.org/TR/SRI/.
Thanks a lot for your kindly answer!
Some test code:
The text was updated successfully, but these errors were encountered: