search

w3c / webappsec-mixed-content

WebAppSec Mixed Content
https://w3c.github.io/webappsec-mixed-content/
Other
12 stars 22 forks source link

Clarify the fetch integration points #2

Closed wseltzer closed 8 years ago

wseltzer commented 8 years ago

Instead of reference to "Step 4" and "Step 7" of Fetch, can we be more specific about the timing (e.g., before, rather than during) and purpose of those steps?

(lines 511-529)

Fetch calls the algorithm defined in [[#should-block-fetch]] during Step 4 of the Fetching algorithm [[!FETCH]] in order to block network traffic to URLs which are not a priori authenticated.

Note: Hooking into Fetch here ensures that we catch not only the initial request, but all redirects as well.

Further, Fetch calls the algorithm defined in [[#should-block-response]] during Step 7 of the Fetching algorithm [[!FETCH]] in order to block unauthenticated responses.

Note: This hook is necessary to detect resources modified or synthesized by a ServiceWorker, as well as to determine whether a response is unauthenticated once the TLS-handshake has finished. See steps 4.1 and 4.2 of the algorithm defined in [[#should-block-response]] for detail.

wseltzer commented 8 years ago

ping @mikewest