Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Define opaque-response blocking (updated) #1755

Open
wants to merge 5 commits into
base: main
Choose a base branch
from

Conversation

sefeng211
Copy link

@sefeng211 sefeng211 commented May 27, 2024

This PR is based on what @annevk has proposed in #1442, with additional changes. It includes the validate a partial response and the Content-Range header parser algorithm, plus the additional changes that Firefox has made in its implementation.

#1442 had some discussions and references, and I wish I can keep them, but I don't have write access to annevk/orb, hence this PR. Please let me know if there's a better way to move this forward.

cc @zcorpan @annevk


TODO:


(See WHATWG Working Mode: Changes for more details.)


Preview | Diff

@zcorpan
Copy link
Member

zcorpan commented May 27, 2024

From the build errors, it looks like mimesniff needs to export more terms, e.g. https://github.com/whatwg/mimesniff/blob/main/mimesniff.bs#L988

sefeng211 added a commit to sefeng211/mimesniff that referenced this pull request Jun 11, 2024
I'd like to reference them in whatwg/fetch#1755,
hence this patch to export those two algorithms.
zcorpan pushed a commit to whatwg/mimesniff that referenced this pull request Jun 12, 2024
annevk and others added 4 commits June 12, 2024 14:32
This is good enough for early review, but there are a number of issues that still need resolving: https://github.com/annevk/orb/labels/mvp.

There are also some inline TODO comments.

A PR against HTML is needed to ensure it passes the appropriate metadata for media element and classic script requests. We might also want to depend on HTML for parsing JavaScript.
fetch.bs Outdated
set of bytes, and ultimately falls back to a full parse due to unfortunate (lack of) design
decisions in the early days of the web platform. As a result there are still quite a few responses
whose secrets can end up being revealed to attackers. Web developers are strongly encouraged to use
the `<code http-header>Cross-Origin-Resource-Policy</code>` response header to defend them.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The http-header attribute seems to cause a build error. Try dfn-type=http-header

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

3 participants