Does any of this require CORS-with-forced-preflight?

[annevk]

Since this allows inspection of how fast a body is transmitted to the server, should this require a preflight just like we do in XMLHttpRequest for progress events?

[yutakahirano]

I overlooked this ticked, sorry.
You're right. I'll fix that.

[yutakahirano]

• A BodyStreamInit is given and mode is same_origin => Set mode to same_origin
• A BodyStreamInit is given and mode is CORS => Set mode to CORS-with-forced-preflight
• A BodyStreamInit is given and mode is CORS-with-forced-preflight => Set mode to CORS-with-forced-preflight

What should we do when mode is no CORS? Failing the operation seems reasonable to me.

[annevk]

Failing sounds fine, yes. There's no need to set mode btw if we don't want to change it, I would only create branches for the cases where we anticipate a change.

[yutakahirano]

Created a change: https://github.com/yutakahirano/fetch-with-streams/tree/28271acbfaaf1fd2f2ad4f19c8f3cf143298b90a
Can you take a look at it?

[yutakahirano]

@annevk ping

[annevk]

Sorry. Request class modifications look okay. Independent security review is also required but I guess that'll happen as part of landing the code in browsers.

[yutakahirano]

Thanks, merged.

[yutakahirano]

Reopen this issue because WritableStream is dropped from the draft on b32685d. I will fix it again in the future.

[domenic]

It sounds like this means uploading a request body would require a forced preflight?

[annevk]

That is the question. There's two parts to this. 1) Due to us using streams, you can discover much more about the server than if you transmit a single ArrayBuffer object. 2) Thus far browsers have never used chunked encoding for uploads. Using that could be a vulnerability of sorts by itself.

Curious to see what @dveditz, @mikewest et al think. Obviously not doing a preflight would be much more desirable. (On the other hand, if we get origin-wide preflights it might not be that big of a deal.)

[mikewest]

Erring on the side of caution seems reasonable; I haven't looked at the spec, but based on the comment above (#10 (comment)), it seems like the right balance.

(I agree, by the way, that giving servers the ability to opt-into certain kinds of preflightless requests on an origin-wide basis makes it less painful to require them for new features. That tips the balance further towards conservationism...)