Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integrate with Fetch Metadata. #993

Merged
merged 7 commits into from
Mar 4, 2021
Merged

Integrate with Fetch Metadata. #993

merged 7 commits into from
Mar 4, 2021

Conversation

mikewest
Copy link
Member

@mikewest mikewest commented Jan 10, 2020

This patch integrates Fetch Metadata processing into Fetch's "main
fetch" algorithm, and defines a "user activation flag" on requests that
will be populated during HTML's "process a navigate fetch" algorithm.

Closes #885.

(See WHATWG Working Mode: Changes for more details.)


Preview | Diff

This patch integrates Fetch Metadata processing into Fetch's "main
fetch" algorithm, and defines a "user activation flag" on requests that
will be populated during HTML's "process a navigate fetch" algorithm.

Closes #885.
@mikewest
Copy link
Member Author

As discussed on public-webappsec@. WDYT, @annevk?

fetch.bs Outdated Show resolved Hide resolved
@mikewest
Copy link
Member Author

Coming back to this as a prereq to whatwg/html#5203.

WDYT?

Copy link
Member

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As Yoav once discovered, this does not work. As https://fetch.spec.whatwg.org/#cors-unsafe-request-header-names is currently invoked, setting Sec- headers before the network layer forces a preflight. We'd have to add an exception there (or its caller).

I think there is agreement that adding an exception is fine, provided the Sec- headers have reasonable restrictions on length and attacker-controlled data. (Perhaps we ought to document that in the process of enshrining this exception.)

fetch.bs Outdated Show resolved Hide resolved
@mikewest
Copy link
Member Author

As Yoav once discovered, this does not work. As https://fetch.spec.whatwg.org/#cors-unsafe-request-header-names is currently invoked, setting Sec- headers before the network layer forces a preflight. We'd have to add an exception there (or its caller).

Would you like me to put these headers specifically into https://fetch.spec.whatwg.org/#cors-safelisted-request-header? Or would you like us to work out a Sec-* carveout generally?

@annevk
Copy link
Member

annevk commented Feb 11, 2020

I think we should carve it out generically, right?

Now actually copying @yoavweiss so he can share any thoughts as to why carving out Sec- generically might be bad.

@mikewest
Copy link
Member Author

mikewest commented Feb 14, 2020

Would you like me to carve it out generically in this CL, or in a separate patch? Probably the latter, right? #1000

@annevk
Copy link
Member

annevk commented Feb 18, 2020

This also does not address w3c/webappsec-fetch-metadata#29 as far as I can tell. We need a solution for that.

Also, w3c/webappsec-fetch-metadata#38 changed right as this PR would expose them to service workers?

Could you maybe do another triage round so I know what upstream issues might end up impacting Fetch still?

Base automatically changed from master to main January 15, 2021 07:38
@mikewest
Copy link
Member Author

mikewest commented Mar 2, 2021

I merged the last few months of changes in f780097, and moved the integration out of "main fetch" and into "HTTP-network-or-cache" fetch in 58d9d18. I believe that addresses the following concerns:

I've skimmed very quickly through other bugs, but nothing other than whatwg/html#5203 jumps out at me as needing to be resolved before landing this integration. I'll try to label things accordingly if I can find some time.

WDYT?

Copy link
Member

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for getting around to updating this. The plan looks good to me, I only have nits.

fetch.bs Outdated Show resolved Hide resolved
fetch.bs Outdated Show resolved Hide resolved
@annevk
Copy link
Member

annevk commented Mar 2, 2021

I've also added the pull request template to OP as this is a normative change. Mainly so we can find tests and bugs later. I think this has support from Chrome/Firefox.

Maybe @youennf can weigh in for Safari?

Copy link
Member

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah this looks good, thanks.

mikewest added a commit to w3c/webappsec-fetch-metadata that referenced this pull request Mar 2, 2021
@mikewest
Copy link
Member Author

mikewest commented Mar 2, 2021

Updated dependent PRs and specs, and filled out the template above.

chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this pull request Mar 2, 2021
As requested in whatwg/fetch#993.

Change-Id: Ie6096154ad9f6af73e2c26e0bb0c8f72a2a7a99a
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this pull request Mar 2, 2021
As requested in whatwg/fetch#993.

Change-Id: Ie6096154ad9f6af73e2c26e0bb0c8f72a2a7a99a
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this pull request Mar 3, 2021
As requested in whatwg/fetch#993.

Change-Id: Ie6096154ad9f6af73e2c26e0bb0c8f72a2a7a99a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2727263
Reviewed-by: Matt Falkenhagen <[email protected]>
Commit-Queue: Mike West <[email protected]>
Cr-Commit-Position: refs/heads/master@{#859345}
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this pull request Mar 3, 2021
As requested in whatwg/fetch#993.

Change-Id: Ie6096154ad9f6af73e2c26e0bb0c8f72a2a7a99a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2727263
Reviewed-by: Matt Falkenhagen <[email protected]>
Commit-Queue: Mike West <[email protected]>
Cr-Commit-Position: refs/heads/master@{#859345}
blueboxd pushed a commit to blueboxd/chromium-legacy that referenced this pull request Mar 3, 2021
As requested in whatwg/fetch#993.

Change-Id: Ie6096154ad9f6af73e2c26e0bb0c8f72a2a7a99a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2727263
Reviewed-by: Matt Falkenhagen <[email protected]>
Commit-Queue: Mike West <[email protected]>
Cr-Commit-Position: refs/heads/master@{#859345}
@annevk annevk merged commit 51a664d into main Mar 4, 2021
@annevk annevk deleted the fetch-metadata branch March 4, 2021 08:19
@annevk
Copy link
Member

annevk commented Mar 4, 2021

Thanks @mikewest!

@annevk
Copy link
Member

annevk commented Mar 4, 2021

Unfortunately, I just realized I forgot to note whatwg/html#5203 in the commit message. Oh well.

annevk pushed a commit to whatwg/html that referenced this pull request Mar 4, 2021
In order to support Fetch Metadata Request Headers's Sec-Fetch-User header, this sets navigation request's user-activation if the navigation is triggered while the source browsing context has transient activation.

See also whatwg/fetch#993.
moz-v2v-gh pushed a commit to mozilla/gecko-dev that referenced this pull request Mar 15, 2021
…ible in service workers., a=testonly

Automatic update from web-platform-tests
WPT: `Sec-Fetch-*` headers aren't accessible in service workers.

As requested in whatwg/fetch#993.

Change-Id: Ie6096154ad9f6af73e2c26e0bb0c8f72a2a7a99a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2727263
Reviewed-by: Matt Falkenhagen <[email protected]>
Commit-Queue: Mike West <[email protected]>
Cr-Commit-Position: refs/heads/master@{#859345}

--

wpt-commits: df6a144d964283f2929eeb937af2806d9aafec62
wpt-pr: 27857
gecko-dev-updater pushed a commit to marco-c/gecko-dev-comments-removed that referenced this pull request Mar 15, 2021
…ible in service workers., a=testonly

Automatic update from web-platform-tests
WPT: `Sec-Fetch-*` headers aren't accessible in service workers.

As requested in whatwg/fetch#993.

Change-Id: Ie6096154ad9f6af73e2c26e0bb0c8f72a2a7a99a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2727263
Reviewed-by: Matt Falkenhagen <falkenchromium.org>
Commit-Queue: Mike West <mkwstchromium.org>
Cr-Commit-Position: refs/heads/master{#859345}

--

wpt-commits: df6a144d964283f2929eeb937af2806d9aafec62
wpt-pr: 27857

UltraBlame original commit: cc8aa5885f9fc1c5d8b014047501861d5af169e6
gecko-dev-updater pushed a commit to marco-c/gecko-dev-wordified that referenced this pull request Mar 15, 2021
…ible in service workers., a=testonly

Automatic update from web-platform-tests
WPT: `Sec-Fetch-*` headers aren't accessible in service workers.

As requested in whatwg/fetch#993.

Change-Id: Ie6096154ad9f6af73e2c26e0bb0c8f72a2a7a99a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2727263
Reviewed-by: Matt Falkenhagen <falkenchromium.org>
Commit-Queue: Mike West <mkwstchromium.org>
Cr-Commit-Position: refs/heads/master{#859345}

--

wpt-commits: df6a144d964283f2929eeb937af2806d9aafec62
wpt-pr: 27857

UltraBlame original commit: cc8aa5885f9fc1c5d8b014047501861d5af169e6
gecko-dev-updater pushed a commit to marco-c/gecko-dev-wordified-and-comments-removed that referenced this pull request Mar 15, 2021
…ible in service workers., a=testonly

Automatic update from web-platform-tests
WPT: `Sec-Fetch-*` headers aren't accessible in service workers.

As requested in whatwg/fetch#993.

Change-Id: Ie6096154ad9f6af73e2c26e0bb0c8f72a2a7a99a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2727263
Reviewed-by: Matt Falkenhagen <falkenchromium.org>
Commit-Queue: Mike West <mkwstchromium.org>
Cr-Commit-Position: refs/heads/master{#859345}

--

wpt-commits: df6a144d964283f2929eeb937af2806d9aafec62
wpt-pr: 27857

UltraBlame original commit: cc8aa5885f9fc1c5d8b014047501861d5af169e6
mikewest added a commit to w3c/webappsec-fetch-metadata that referenced this pull request Jul 13, 2021
After whatwg/fetch#948,
whatwg/fetch#993, and
whatwg/html#5203, the integration with Fetch and
HTML is complete. This patch points to those integration points rather
than claiming that there's still work to be done.

Closes #73.
mikewest added a commit to w3c/webappsec-fetch-metadata that referenced this pull request Jul 20, 2021
After whatwg/fetch#948,
whatwg/fetch#993, and
whatwg/html#5203, the integration with Fetch and
HTML is complete. This patch points to those integration points rather
than claiming that there's still work to be done.

Closes #73.
mjfroman pushed a commit to mjfroman/moz-libwebrtc-third-party that referenced this pull request Oct 14, 2022
As requested in whatwg/fetch#993.

Change-Id: Ie6096154ad9f6af73e2c26e0bb0c8f72a2a7a99a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2727263
Reviewed-by: Matt Falkenhagen <[email protected]>
Commit-Queue: Mike West <[email protected]>
Cr-Commit-Position: refs/heads/master@{#859345}
GitOrigin-RevId: 371392c37dfd0b6830aba1b3648dbfcaab5ff1af
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

Consider supporting Fetch Metadata.
3 participants