Open Lubrsi opened 1 year ago
This is https://github.com/whatwg/fetch/issues/1512.
There's another aspect here though that I forgot about. Response's status will be masked as well. So even if we modify Fetch to hand HTML the full response, it would still have to dig into the internal response to get the status out.
https://html.spec.whatwg.org/multipage/semantics.html#fetching-and-processing-a-resource-from-a-link-element:concept-fetch
CORS cross-origin responses in the No CORS request mode provide an opaque filtered response, which is the original response with certain attributes removed/changed.
The relevant effect it has is setting the body to null, which means body_bytes is
null
in the processResponseConsumeBody callback. This effectively disables cross-origin linked resources (e.g. stylesheets).However, the web actually depends on this, especially for stylesheets retrieved from a cross-origin CDN. For example, Shopify websites request stylesheets from cdn.shopify.com and Substack websites request stylesheets from substackcdn.com.
We worked around this in LibWeb here: https://github.com/SerenityOS/serenity/pull/17997
The workaround is to read the actual body from the unfiltered response and then call process_linked_resource from there.
This should be safe to do, as linked resource fetches do not include credentials (i.e. cookies and the Authorization header), so it cannot provide personalized responses.
We first spotted this with
https://twinings.co.uk/
, which is a Shopify website requesting stylesheets fromhttps://cdn.shopify.com