Fetch abort & no-cors requests

[jakearchibald]

Aborting fetch introduces a new capability: aborting 'no-cors' fetches.

// In a service worker:
addEventListener('fetch', event => {
  const controller = new AbortController();
  const signal = controller.signal;

  event.respondWith(
    fetch(whateverURL, {mode: 'no-cors', signal})
  );

  // Sometime later:
  controller.abort();
});

Connections can already terminate as the result of connections dropping, but now the timing & control of this is available to the developer. Although, since the response is being read in another thread, the timing of actual cancellation isn't completely predictable.

tc39/proposal-cancelable-promises#4 is the first time the issue was raised that aborting a fetch might result in a partial response and that for opaque responses that could potentially be problematic.

Possible attacks:

• Header truncation
• Partial data execution

The browser will know the response stream ended in error, so it can avoid executing non-streaming formats like JS and CSS (if we assume CSS isn't streaming), but is there an issue with allowing a mid-response abort of streaming responses like img, audio, video?

Related issues:

• Aborting fetch #523 PR for fetch abort
• Aborting a fetch: The Next Generation #447 Discussion of abort
• Aborting fetch web-platform-tests/wpt#6484 aborting fetch tests

[annevk]

To be extra clear, the new feature relative to XMLHttpRequest is the ability to abort while an opaque response is being received (XMLHttpRequest would have gotten a network error at that point due to CORS). Aborting during the "requesting part" was already possible.

I think header truncation is a solved problem at this point in that you simply get a network error if they are incomplete.

HTTP cache interaction might also be worth touching on, in particular with respect to the recent refactoring efforts there. The easiest would be to simply not cache erred responses, at least not until we offer APIs around range requests and the like.

[mnot]

Incomplete responses can be stored as partial responses and then completed later (with validation), but we decided to punt on partial caching support, so probably best to call it an error and skip the cache (unless the cache decides to support partial).

See also:
http://httpwg.org/specs/rfc7234.html#incomplete.responses

[wanderview]

Is this similar to adding a cross-origin iframe which starts an img/script/etc load and then removing the iframe before the load completes? I know we cancel if the user closes a tab. I'm just wondering if similar cancelation happens on iframe removal which would be script controlled.

[wanderview]

Another possible way this could happen today:

1. Create a dedicated worker that does a large load.
2. Worker.terminate() the worker while its in the middle of receiving data.

[annevk]

In both those cases you can't really inspect the resulting Response (and you end up aborting all kinds of other activity too such as the event loop and such). Worth keeping in mind though.

[jakearchibald]

I shared this issues with our security folks and we couldn't find any security issues with this.