New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce "navigate" mode #126
Comments
Do you have any thoughts on how opaque origins will be blocked for navigations? It seems worker scripts should still be covered by the same-origin RequestMode. |
So what I think we should do is that HTML just treats any tainted response as same-origin (that is what happens today and makes sense) and that Fetch blocks opaque responses from the service worker (so that you can't exploit it). |
It seems clunky to have special cases for navigations that aren't reflected in the exposed FetchEvent.request attributes. If navigations follow no-cors cross-origin redirects, is there a reason we can't just accept opaque responses for navigations? It seems if we update the final URL of the page with the intercepted Response.url, then it would be the same as a redirect. Maybe something like:
@jakearchibald, is there a functional reason not to do this for navigations? |
From IRC:
|
So @wanderview suggested introducing "navigate" as a mode since navigation really has its own policy. We would not expose that to script, just the HTML Standard. The alternative is that security branches on both mode and destination. (Having said that, per #127 it might already end up branching on mode and redirect mode. So I'm not sure how consistent we'd be.) I wonder what @tyoshino et al think of this. |
In both cases, checking the Response type based on the Request attribute which determines if you get that Response type seems natural to me. Setting navigation request to "no-cors" RequestMode implies that opaque responses should be allowed. But we don't allow them, because what we really mean is same-origin, but we can't use that because it forces the origin header which isn't right for navigations. None of the current RequestMode values really fits for navigations. To me that really suggests we need a new RequestMode for navigations. |
Okay, so
|
See whatwg/fetch#126 for context around the “navigate” value for request’s mode. The other additions were unfortunately omitted from 7c5555a.
Would it be possible to put the "navigate" type at the end of the enumeration list? We try to keep the webidl a direct copy of whats in the spec, which means the binary enumeration values of the RequestMode would change by putting "navigate" first. This matters because we store these enumeration values in Cache databases. I can deal with this, but it would be easier if enumeration order wasn't changed. Appending new enumeration values avoids the problem. |
The specification doesn't expose order in any way, so it should not matter. |
See whatwg/fetch#126 for context around the “navigate” value for request’s mode. The other additions were unfortunately omitted from 7c5555a.
The reason navigate needs to be "no-cors" is due to the Origin header. We cannot just override the origin to always be same-origin, because that would give the wrong value for the Origin header. And I don't think we want to introduce a second origin concept.
The text was updated successfully, but these errors were encountered: