Comments (10)
I filed a couple of issues https://github.com/TokenBinding/Internet-Drafts/issues as some things were not entirely clear to me.
It seems there needs to be integration between Fetch and this draft where Fetch handles redirects (or is Include-Referer-Token-Binding-ID
not relevant for the API?), where Fetch goes to the network (and "adds" HTTP headers), and with the API.
So we probably need to decide what bits of the processing model should be in Fetch and what should be handled in those drafts and then how to best divide that.
from fetch.
Include-Referer-Token-Binding-ID shouldn't be relevant for this API. That's a different way for the RP to signal to the UA to reveal the referred token-binding to the IdP. Federation protocols that use redirects would use the Include-Referer-Token-Binding-ID header, and federation protocols that use XHRs would use whatever capabilities fetch exposes for that - but you wouldn't see RPs use both.
On the other hand, anything on the client that processes redirects should be aware of this new response header - if redirection logic is handled by fetch then I guess that's something that it should be aware of.
We'll have new versions of the Token Binding I-Ds out soon. We'll address the issues you and others have pointed out over there.
from fetch.
Yes, Fetch handles all requesting logic for the entire web platform, including redirects. Redirects are handled in step 4 of https://fetch.spec.whatwg.org/#http-fetch at the moment. Headers such as cookies and Referer
are added at the network level here: https://fetch.spec.whatwg.org/#concept-http-network-or-cache-fetch
I suspect both of these need to be modified somehow to account for Token-Binding
. I suspect we want to update the concept of a request somehow with a flag that indicates that Token-Binding
needs to be included in the request. (What happens if such a request results in a(nother) redirect?)
from fetch.
@balfanz do you need anything else from me?
from fetch.
@annevk - any pointers as to how to get this moved to the next stage would be great. Should I attend a meeting somewhere?
As for the redirect question: I think we should include the referred token-binding only in the first request - the one that the 302 redirects to, or the one that the fetch() initially goes to.
from fetch.
We don't have meetings really, but I'm happy to chat if you think that helps.
If you search for "mixed content" in Fetch you'll find how it integrates with the Mixed Content specification. Ideally, we'd have something similar for federated token binding. A set of changes to the Fetch algorithm and API that integrates with the work done at the IETF.
from fetch.
A feature of Token Binding is that it couples requests with their connection. What is the impact of that on efforts to reuse connections across credentialed and non-credentialed requests (see #341)?
cc @vanupam @mikewest @yoavweiss @equalsJeffH @sleevi @jakearchibald
from fetch.
from fetch.
Okay, that sounds somewhat promising. I got worried because in the PR there's talk about putting new properties on the connection, but I have not carefully studied the implications.
from fetch.
Closing as per #715 (comment).
from fetch.
Related Issues (20)
- Clarity of Location URL Algorithm HOT 1
- Incremental read: Why only Uint8Array instead of BufferSource? HOT 12
- CORB is blocked HOT 1
- RequestInit::priority lacks corresponding Request::priority attribute
- Referrer determination should be done on updated URLs in main fetch
- Automatic decompression should sanitize `Content-Encoding` and `Content-Length` headers from the response HOT 1
- When there is an issue with the URL parameter, fetch does not have any errors
- add a method to get a Uint8Array to Body HOT 4
- Fetch with Flask or Microdot HOT 1
- Service worker "handle fetch" seems to assume it's called in parallel HOT 2
- Redirect loop handling not discussed
- Add compression dictionary negotiation and decoding to the fetch processing model HOT 2
- Reconsider default Accept values for images
- Fetch support for explicit resource management
- Consider renaming or replacing http3only? HOT 1
- [render-blocking] The links of "render-blocking" in fetch are vague HOT 2
- Define what consequences NULL bytes (0x00) or other invalid values in header names have HOT 1
- 0x00 byte (%00) in a data: URL
- fetch does not allow caching requests with a null client HOT 1
- Question about stream handling around fetch requests with integrity metadata HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fetch.