DBSC refreshes are copies of original requests #155
Conversation
drubery
force-pushed
the
push-ulxvtvsqxtxp
branch
from
99c2fec to
8f32491
Compare
spec.html
Outdated
| @@ -0,0 +1,3178 @@ | |||
| <!doctype html><html lang="en"> | |||
There was a problem hiding this comment.
Is this new file intended?
There was a problem hiding this comment.
Nope, I just haven't figured out how to convince bikeshed not to output in the main repo.
| @@ -405,16 +405,15 @@ The <dfn>session credential</dfn> is a [=struct=] with the following | |||
| with |key pair| and store the result in |signed challenge|. | |||
| 1. Create a |request| for use in <a | |||
| href="https://fetch.spec.whatwg.org/#http-network-or-cache-fetch">HTTP-network-or-cache | |||
| fetch</a>. | |||
| fetch</a> as a copy of |originating request|. | |||
There was a problem hiding this comment.
I'm a little hesitant about this, since it means we need to remember to opt out of unintentional properties instead of deciding which properties make sense to copy over. I'm also not convinced at the moment that conceptually it makes sense to consider registration/refresh requests as a slightly tweaked copy of the originating request. I'm not closed to the idea though. I suppose they're kind of the same problem either way, but having to null out the header list (based on the change below) makes me worried there may be other properties we're not aware we should also null out.
Are there any specific fields the spec wasn't already mentioning that prompted you to make this change?
There was a problem hiding this comment.
Specifically I was looking at things like client, which I believe will end up owning the session map (PR to come). Right now we don't necessarily have access to that.
I had originally wanted it because I think it gives us a nicer privacy story. "Anything a DBSC request can do could have been done by the original request" is a nice invariant. But I think it's reasonable for that to just be the principle we follow, and for the spec to be more future-proof by only copying the fields it needs.
There was a problem hiding this comment.
Up to you. I prefer it the way it was before, but I can see the rationale.
There was a problem hiding this comment.
No I think you're right. I'll abandon this one.
There are a lot of fields for requests that we won't change when doing a DBSC refresh or registration. So instead of copying a small number of fields from the originating request, copy everything and change the fields we want to change.
drubery
force-pushed
the
push-ulxvtvsqxtxp
branch
from
8f32491 to
ab4b570
Compare
| @@ -405,16 +405,15 @@ The <dfn>session credential</dfn> is a [=struct=] with the following | |||
| with |key pair| and store the result in |signed challenge|. | |||
| 1. Create a |request| for use in <a | |||
| href="https://fetch.spec.whatwg.org/#http-network-or-cache-fetch">HTTP-network-or-cache | |||
| fetch</a>. | |||
| fetch</a> as a copy of |originating request|. | |||
There was a problem hiding this comment.
Up to you. I prefer it the way it was before, but I can see the rationale.
There are a lot of fields for requests that we won't change when doing a DBSC refresh or registration. So instead of copying a small number of fields from the originating request, copy everything and change the fields we want to change.