Does any of this require CORS-with-forced-preflight? - Githubissues

yutakahirano / fetch-with-streams

Fetch API integrated with Streams.

66 stars 8 forks source link

Does any of this require CORS-with-forced-preflight? #10

Closed annevk closed 7 years ago

annevk commented 9 years ago

Since this allows inspection of how fast a body is transmitted to the server, should this require a preflight just like we do in XMLHttpRequest for progress events?

yutakahirano commented 9 years ago

I overlooked this ticked, sorry. You're right. I'll fix that.

yutakahirano commented 9 years ago

A BodyStreamInit is given and mode is _sameorigin => Set mode to _sameorigin
A BodyStreamInit is given and mode is CORS => Set mode to CORS-with-forced-preflight
A BodyStreamInit is given and mode is CORS-with-forced-preflight => Set mode to CORS-with-forced-preflight

What should we do when mode is no CORS? Failing the operation seems reasonable to me.

annevk commented 9 years ago

Failing sounds fine, yes. There's no need to set mode btw if we don't want to change it, I would only create branches for the cases where we anticipate a change.

yutakahirano commented 9 years ago

Created a change: https://github.com/yutakahirano/fetch-with-streams/tree/28271acbfaaf1fd2f2ad4f19c8f3cf143298b90a Can you take a look at it?

yutakahirano commented 9 years ago

@annevk ping

annevk commented 9 years ago

Sorry. Request class modifications look okay. Independent security review is also required but I guess that'll happen as part of landing the code in browsers.

yutakahirano commented 9 years ago

Thanks, merged.

yutakahirano commented 9 years ago

Reopen this issue because WritableStream is dropped from the draft on https://github.com/yutakahirano/fetch-with-streams/commit/b32685d450ead1046be17afcdddfb9d299dca9fb. I will fix it again in the future.

domenic commented 7 years ago

It sounds like this means uploading a request body would require a forced preflight?

annevk commented 7 years ago

That is the question. There's two parts to this. 1) Due to us using streams, you can discover much more about the server than if you transmit a single ArrayBuffer object. 2) Thus far browsers have never used chunked encoding for uploads. Using that could be a vulnerability of sorts by itself.

Curious to see what @dveditz, @mikewest et al think. Obviously not doing a preflight would be much more desirable. (On the other hand, if we get origin-wide preflights it might not be that big of a deal.)

mikewest commented 7 years ago

Erring on the side of caution seems reasonable; I haven't looked at the spec, but based on the comment above (https://github.com/yutakahirano/fetch-with-streams/issues/10#issuecomment-68989993), it seems like the right balance.

(I agree, by the way, that giving servers the ability to opt-into certain kinds of preflightless requests on an origin-wide basis makes it less painful to require them for new features. That tips the balance further towards conservationism...)