This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 26735 - Reject opaque ServiceWorker responses if the original request has a mode of CORS
Summary: Reject opaque ServiceWorker responses if the original request has a mode of CORS
Status: RESOLVED FIXED
Alias: None
Product: WHATWG
Classification: Unclassified
Component: Fetch (show other bugs)
Version: unspecified
Hardware: PC All
: P2 normal
Target Milestone: Unsorted
Assignee: Anne
QA Contact: sideshowbarker+fetchspec
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-09-05 13:01 UTC by Jake Archibald
Modified: 2014-09-09 11:11 UTC (History)
2 users (show)

See Also:

Attachments

Description Jake Archibald 2014-09-05 13:01:15 UTC 
…or CORS-with-forced-preflight.

These should be treated as network failures.

This caters for opaque responses being given for XHR, <img crossorigin> etc.
Comment 1 Anne 2014-09-06 09:47:02 UTC 
So in http://fetch.spec.whatwg.org/#http-fetch we need to make step 2 more elaborate.

2. If request's skip service worker flag is unset and request's client is not a service worker environment, run these substeps: [HTML]

2.1. Set response to the result of invoking handle a fetch for request. [SW]

2.2. If either /response/'s type is opaque and request's mode is not /no CORS/ or /response/'s type is error, return a network error.
Comment 2 Takeshi Yoshino 2014-09-09 05:23:25 UTC 
Looks good.

Curious if this is a security issue or just about consistency.
Comment 3 Takeshi Yoshino 2014-09-09 07:57:21 UTC 
I asked horo@ about what opaque intended to mean for img and XHR. Now I understand the background.

It seems ideally we should just have the customer specs of the fetch to pass their privilege (XHR cannot read opaque. img can read opaque, etc.) and the fetch returns filtered data based on the privilege than allowing the customer specs to read "internal response".
Comment 4 Anne 2014-09-09 09:02:54 UTC 
(In reply to Takeshi Yoshino from comment #3)
> It seems ideally we should just have the customer specs of the fetch to pass
> their privilege (XHR cannot read opaque. img can read opaque, etc.) and the
> fetch returns filtered data based on the privilege than allowing the
> customer specs to read "internal response".

Isn't that what we are doing here? Only if <img> asks for /no CORS/ can get it get an opaque response from which it needs to obtain an internal response.

XMLHttpRequest never asks for /no CORS/ and therefore never gets an opaque response.

If that is not what you meant, could you explain what kind of model you would expect?
Comment 5 Takeshi Yoshino 2014-09-09 09:56:57 UTC 
(In reply to Anne from comment #4)
> (In reply to Takeshi Yoshino from comment #3)
> > It seems ideally we should just have the customer specs of the fetch to pass
> > their privilege (XHR cannot read opaque. img can read opaque, etc.) and the
> > fetch returns filtered data based on the privilege than allowing the
> > customer specs to read "internal response".
> 
> Isn't that what we are doing here? Only if <img> asks for /no CORS/ can get
> it get an opaque response from which it needs to obtain an internal response.

Ah, I see. The opaque feature is for hiding data of a response from JS code in SW. To do so, you tried to keep the algorithm between the response concept and the Response object. Instead of adding type==opaque check in the accessors of the Response object, you chose to have the internal response and make it available for <img>, etc. Right? It makes sense.
Comment 6 Takeshi Yoshino 2014-09-09 09:57:56 UTC 
(In reply to Takeshi Yoshino from comment #5)
> Ah, I see. The opaque feature is for hiding data of a response from JS code
> in SW. To do so, you tried to keep the algorithm between the response
> concept and the Response object. Instead of adding type==opaque check in the

s/Response object/Response object simple/
Comment 7 Anne 2014-09-09 10:20:50 UTC 
Yeah, that's the idea.