Comments (14)
That certainly seems terrible, and isn't what I intended with that addition. @annevk, wdyt?
from fetch.
I see three problems. 1. It's not clear when this header is supposed to be set and therefore it's not clear whether e.g. service workers are supposed to be able to observe it. 2. This header can be set by fetch()
and XMLHttpRequest
because it is not prefixed with Sec-
so you need to handle duplicates somehow when you set it. 3. It's not clear whether including this header cross-origin is a security risk or not and therefore whether we should preflight it. So far we have answered yes to this question.
from fetch.
Ping!
from fetch.
The goal is to inform a page that any redirect they perform is potentially observable (in a binary "Happened" or "Didn't happen." sense). We plugged the whole which made the endpoint completely observable, so I've been less interested in figuring out this header, as it's less valuable than it used to be.
That said:
- It should reflect the state of the thing that's making the request, and therefore the thing that can observe redirects. That is, if a Document sends a request, and it passes through a service worker, the header should be present. If a SW intercepts a request from that Document, and then sends it's own request in order to fulfill it, then the header would be present iff the service worker had an active policy.
- That seems fine. The value of the header is immaterial; it's
1
at the moment, but could just as easily be1,1,1,1,1,1
orlkjahfklj;dvsnf
. That might change in the future if we actually use the header for anything interesting, but for now, presence is enough. - I doubt it is, but, I also didn't think that an
HTTPS
header would be dangerous, so, what do I know?
from fetch.
If we don't think this is needed anymore, happy to not add it. Will leave it open so we can reconsider when CSP is rewritten.
from fetch.
There's a similar known issue regarding the EventSource (https://html.spec.whatwg.org/multipage/comms.html#last-event-id). It sends out Last-Event-ID. It's currently treated as a non-simple header and Chromium's ServiceWorker would issue a preflight for it (cc/ @horo-t).
In a different context, we're about to exempt the Save-Data
header (http://httpwg.org/http-extensions/client-hints.html#the-save-data-hint, https://code.google.com/p/chromium/issues/detail?id=584889). It's currently experimental and specific to Chromium but planned to be standardized.
There could be more stuffs like this coming that are intended to be observable/alterable by a ServiceWorker.
For the Last-Event-ID, I think we can just add it to the simple header list and leave it open to XHR/Fetch (i.e. leave it not forbidden).
from fetch.
@tyoshino in part it really depends on when the header is set. Is it set at the "feature level", the "fetch level", the "service worker level", or the "just prior to network level".
The theoretical security problem with adding headers to the simple header list is that they can then be set to any value, thereby potentially compromising the security of a server which would not be affected otherwise (since it assumes that for logged in users the value will always be correct). I would love to figure out what the best solution for that is. @igrigorik wants to know it too I think. And so does @jakearchibald.
from fetch.
Yeah. Regarding Last-Event-ID
, I'm considering that it's in "feature level". Me too love to figure out the right way.
My initial impression for Save-Data
was that it should live in "just prior to network level", but seems Ben Greenstein (Data reduction proxy developer) and @igrigorik's idea is that it should be observable by SW. Thanks for looping him in.
from fetch.
Agreed about Last-Event-ID
being feature level and that does indeed argue for it being a "simple header", but that also creates the problem I illustrated. Up until now servers could assume it contains an ID they controlled, and the moment it becomes a "simple header" it can be any value an attacker wants.
What does Chrome's network security team think about that? I'm also not sure what Mozilla thinks on this matter, FWIW. It's always a little muddy on the edges of the same-origin policy.
from fetch.
Related Client-Hint threads:
- httpwg/http-extensions#141 (this one should probably live here, not on httpwg)
- igrigorik/http-client-hints#68
FWIW, being able to observe CH headers within SW is an important use case. Similarly, requests initiated by fetch() and within SW should advertise appropriate UA-set CH headers.
Does it make sense to allow UA-set headers to be treated as "simple headers", and trigger a preflight if set or modified by the developer?
from fetch.
That would make headers more complex than they currently are, or require a side table I suppose. (Alternatively, you could go with validation and allow both developers and user agents the same kind of syntax.) None of these is very attractive, but perhaps that is the best option?
from fetch.
Hmm, well.. The CH spec does specify the BNF for each header. It doesn't seem like a far stretch to make UA require a validation step for the provided values?
from fetch.
We could I suppose, if user agents implement it... So it'd be something like:
'A simple header is ... or a header whose name is "CH header 1", "CH header 2", or ... and whose value, once parsed, is not failure.'
from fetch.
I'm not sure what plans we have, if any, for Client-Hints, but I filed this gecko bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1263446
from fetch.
Related Issues (20)
- Clarity of Location URL Algorithm HOT 1
- Incremental read: Why only Uint8Array instead of BufferSource? HOT 12
- CORB is blocked HOT 1
- RequestInit::priority lacks corresponding Request::priority attribute
- Referrer determination should be done on updated URLs in main fetch
- Automatic decompression should sanitize `Content-Encoding` and `Content-Length` headers from the response HOT 1
- When there is an issue with the URL parameter, fetch does not have any errors
- add a method to get a Uint8Array to Body HOT 4
- Fetch with Flask or Microdot HOT 1
- Service worker "handle fetch" seems to assume it's called in parallel HOT 2
- Redirect loop handling not discussed
- Add compression dictionary negotiation and decoding to the fetch processing model HOT 2
- Reconsider default Accept values for images
- Fetch support for explicit resource management
- Consider renaming or replacing http3only? HOT 1
- [render-blocking] The links of "render-blocking" in fetch are vague HOT 2
- Define what consequences NULL bytes (0x00) or other invalid values in header names have HOT 1
- 0x00 byte (%00) in a data: URL
- fetch does not allow caching requests with a null client HOT 1
- Question about stream handling around fetch requests with integrity metadata HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fetch.