Closed annevk closed 7 years ago
I overlooked this ticked, sorry. You're right. I'll fix that.
What should we do when mode is no CORS? Failing the operation seems reasonable to me.
Failing sounds fine, yes. There's no need to set mode btw if we don't want to change it, I would only create branches for the cases where we anticipate a change.
Created a change: https://github.com/yutakahirano/fetch-with-streams/tree/28271acbfaaf1fd2f2ad4f19c8f3cf143298b90a Can you take a look at it?
@annevk ping
Sorry. Request class modifications look okay. Independent security review is also required but I guess that'll happen as part of landing the code in browsers.
Thanks, merged.
Reopen this issue because WritableStream is dropped from the draft on https://github.com/yutakahirano/fetch-with-streams/commit/b32685d450ead1046be17afcdddfb9d299dca9fb. I will fix it again in the future.
It sounds like this means uploading a request body would require a forced preflight?
That is the question. There's two parts to this. 1) Due to us using streams, you can discover much more about the server than if you transmit a single ArrayBuffer
object. 2) Thus far browsers have never used chunked encoding for uploads. Using that could be a vulnerability of sorts by itself.
Curious to see what @dveditz, @mikewest et al think. Obviously not doing a preflight would be much more desirable. (On the other hand, if we get origin-wide preflights it might not be that big of a deal.)
Erring on the side of caution seems reasonable; I haven't looked at the spec, but based on the comment above (https://github.com/yutakahirano/fetch-with-streams/issues/10#issuecomment-68989993), it seems like the right balance.
(I agree, by the way, that giving servers the ability to opt-into certain kinds of preflightless requests on an origin-wide basis makes it less painful to require them for new features. That tips the balance further towards conservationism...)
Since this allows inspection of how fast a body is transmitted to the server, should this require a preflight just like we do in XMLHttpRequest for progress events?