Any interest in formalizing "Secure context restriction" in Fetch?

[annevk]

I believe Chrome has shipped an implementation of https://wicg.github.io/private-network-access/#secure-context-restriction and WebKit is interested in it. That combination suffices for a Fetch PR.

I think that would be a nice starting point as it gives us some of the underlying infrastructure needed for the remainder of the specification as well, while not being so big that it gets unwieldy.

I think #91 is a blocker for this, but fortunately that's editorial. Didn't spot anything else based on a quick skim.

Thoughts?

[johnathan79717]

94 could be a blocker too as Chrome still needs to ship that before getting rid of the deprecation trial.

[letitz]

Yes, the spec currently does not mention the permission prompt, but we've found while trying to roll the secure context restriction out that it causes too much breakage on its own. Some kind of release valve is needed. We propose a new API that allows secure contexts to make requests over plaintext to the local network, bypassing mixed content given explicit user permission.

Beyond that, yes! I am very interested in formalizing this in Fetch.

[letitz]

Status here is still that #94 should be merged before we start writing a Fetch PR.