--
Bacek
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/99471467262546%40webcorp01e.yandex-team.ru.
One thing I wonder is if it would be worth trying to implement SDCHx using a service worker. There's a lot of complexity to this concept -- cross origin access, pattern matching, allowing a website to remotely delete things from the cache. The main advantage of a native implementation seems like the native implementation of VCDIFF, but vcdiff decoding is fairly efficient. Even if it can't be done in raw JS specing out a VCDIFF api seems much more contained than specing out SDCH. This would allow sophisticated sites like Yandex, Google and Facebook to experiment with the right API for SDCH. Eventually the client/server interface could be standardized (advanced users might always roll their own).
I'm supportive of scrapping SDCH as-is, and fixing the failings of the spec, but I'm not responsible for any servers that currently use SDCH, or any servers at all, for that matter.Some initial questions about the spec:* If we get a 200 response (as opposed to 242) with "Content-Encoding: sdchx", what do we do?
* Should "privacy mode" requests (i.e. anonymous, non-CORS, cookiieless, whatever) also send CORS preflight requests? I assume not, but that they should also send Cookieless dictionary requests? They currently do send cookies with dictionary requests, which is probably a bug.
* Is this over SSL only?
Also, it's my understanding that the vcdiff library we're using is currently unsupported. Have you thought at all about what to do about this? Not trying to put you on a spot here, it's just an issue that always comes up in our offline discussions of the status of SDCH.
Hello.01.07.2016, 01:55, "Matt Menke" <mme...@chromium.org>:
* Is this over SSL only?
Not necessary. Unfortunately "secure channel" won't prevent some crazy MitM proxies from breaking stuff. We had problems with KIS. Some large organisations install company-wide proxy with decoding all traffic, etc.
Hello.
01.07.2016, 01:55, "Matt Menke" <mme...@chromium.org>:I'm supportive of scrapping SDCH as-is, and fixing the failings of the spec, but I'm not responsible for any servers that currently use SDCH, or any servers at all, for that matter.Some initial questions about the spec:* If we get a 200 response (as opposed to 242) with "Content-Encoding: sdchx", what do we do?I think it should be treated as proxy error with blacklisting SDCH for session. Similar to current "x-sdch-encoded: 0" handling.
Hey,Really excited about this work. I think being able to use a response as a dictionary opens up a lot of powerful options.
Something I see being a bit tricky here is using related-pattern. A big use case for us at FB is diffing versions of static resources. For example, we might have a resource like https://www.facebook.com/rsrc.php/v2imYJ4/yR/l/en_US/T-z4odqlBJu.js. The next week that URL might change completely when we update some files. It may be tricky for sites with a scheme like this to ensure that their path structure leads to patterns that advertise a reasonable number of dictionaries. It also might be valuable to allow a
server to use two dictionaries in a response (say you have a large dictionary that changes infrequently and a smaller more frequently updating dictionary).
One thing I wonder is if it would be worth trying to implement SDCHx using a service worker. There's a lot of complexity to this concept -- cross origin access, pattern matching, allowing a website to remotely delete things from the cache. The main advantage of a native implementation seems like the native implementation of VCDIFF, but vcdiff decoding is fairly efficient. Even if it can't be done in raw JS specing out a VCDIFF api seems much more contained than specing out SDCH. This would allow sophisticated sites like Yandex, Google and Facebook to experiment with the right API for SDCH. Eventually the client/server interface could be standardized (advanced users might always roll their own).-b
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CAEK7mvoXvTM%2B5gPn8SvnmO8iDRrTLDDgg6eUdoNMbW96wRkb%3DQ%40mail.gmail.com.
Something I see being a bit tricky here is using related-pattern. A big use case for us at FB is diffing versions of static resources. For example, we might have a resource like https://www.facebook.com/rsrc.php/v2imYJ4/yR/l/en_US/T-z4odqlBJu.js. The next week that URL might change completely when we update some files. It may be tricky for sites with a scheme like this to ensure that their path structure leads to patterns that advertise a reasonable number of dictionaries. It also might be valuable to allow aI can't offer any good solution for that type of url structure apart from using "www.facebook.com/" as related-pattern and select proper dictionary on server. We have similar problem at Yandex for some extent.
server to use two dictionaries in a response (say you have a large dictionary that changes infrequently and a smaller more frequently updating dictionary).Interestingly we had discussions about "combined dictionaries" internally. I'm slightly oppose of this idea. Mainly because it can complicate spec, client code, server side, etc. It also can increase memory usage on both clients and server which can be a road block of rolling it out. However! We do have extensibility built-in in protocol and use of combined dictionaries can look like this:GET /some/semi/changing/resource HTTP/1.1Accept-Encoding: br, sdchxSDCHx-Features: encoding=vcdiff; combined-dictionaries;SDCHx-Avail-Dictionary: <id1>, <id2>, <id3>HTTP 242 Delta EncodedContent-Encoding: sdchx, brSDCHx-Algo: vcdiffSDCHx-Used-Dictionary-Id: <id1>SDCHx-Used-Dictionary-Id: <id3>In this exchange client notifies server about "combined dictionary" support. Server detects it and chooses to combine dictionaries <id1> and <id3> for encoding. Client build combined dictionary based on "SDCHx-Used-Dictionary-Id" list and uses it for decoding.This will allow deploy this feature on subset of clients. E.g. with experiment-per-platform. Or client can decide to use it based on workload (and available resources e.g. memory).
One thing I wonder is if it would be worth trying to implement SDCHx using a service worker. There's a lot of complexity to this concept -- cross origin access, pattern matching, allowing a website to remotely delete things from the cache. The main advantage of a native implementation seems like the native implementation of VCDIFF, but vcdiff decoding is fairly efficient. Even if it can't be done in raw JS specing out a VCDIFF api seems much more contained than specing out SDCH. This would allow sophisticated sites like Yandex, Google and Facebook to experiment with the right API for SDCH. Eventually the client/server interface could be standardized (advanced users might always roll their own).-bUnfortunately I know almost nothing about Service Workers capabilities. But if it's possible to implement sdchx using Service Workers I'm all in. Quick search found https://github.com/plotnikoff/vcdiff.js vcdiff encoding/decoding library in pure javascript. It's not complete (e.g. there is no Adler checksum) but looks like a good start.
On Thu, Jun 30, 2016 at 5:50 PM, Vasily Chekalkin <ba...@yandex-team.ru> wrote:Hello.01.07.2016, 01:55, "Matt Menke" <mme...@chromium.org>:I'm supportive of scrapping SDCH as-is, and fixing the failings of the spec, but I'm not responsible for any servers that currently use SDCH, or any servers at all, for that matter.Some initial questions about the spec:* If we get a 200 response (as opposed to 242) with "Content-Encoding: sdchx", what do we do?I think it should be treated as proxy error with blacklisting SDCH for session. Similar to current "x-sdch-encoded: 0" handling.And for the request with the weird response itself? Just display a network error page, and let the user reload? The meta-reload hack is really weird. We could do something more sane, like re-send the original request, but I'm not sure we want to do that, without user consent.
On Thu, Jun 30, 2016 at 3:40 PM, Vasily Chekalkin <ba...@yandex-team.ru> wrote:Something I see being a bit tricky here is using related-pattern. A big use case for us at FB is diffing versions of static resources. For example, we might have a resource like https://www.facebook.com/rsrc.php/v2imYJ4/yR/l/en_US/T-z4odqlBJu.js. The next week that URL might change completely when we update some files. It may be tricky for sites with a scheme like this to ensure that their path structure leads to patterns that advertise a reasonable number of dictionaries. It also might be valuable to allow aI can't offer any good solution for that type of url structure apart from using "www.facebook.com/" as related-pattern and select proper dictionary on server. We have similar problem at Yandex for some extent.FWIW this is why I think SW is a strength -- it lets the site implement any algorithm it chooses. For example, maybe we send a X-SDCHx-Tag with every JS/CSS file and then have a dictionary that says "file X is likely to match things with tags A or B".
server to use two dictionaries in a response (say you have a large dictionary that changes infrequently and a smaller more frequently updating dictionary).Interestingly we had discussions about "combined dictionaries" internally. I'm slightly oppose of this idea. Mainly because it can complicate spec, client code, server side, etc. It also can increase memory usage on both clients and server which can be a road block of rolling it out. However! We do have extensibility built-in in protocol and use of combined dictionaries can look like this:GET /some/semi/changing/resource HTTP/1.1Accept-Encoding: br, sdchxSDCHx-Features: encoding=vcdiff; combined-dictionaries;SDCHx-Avail-Dictionary: <id1>, <id2>, <id3>HTTP 242 Delta EncodedContent-Encoding: sdchx, brSDCHx-Algo: vcdiffSDCHx-Used-Dictionary-Id: <id1>SDCHx-Used-Dictionary-Id: <id3>In this exchange client notifies server about "combined dictionary" support. Server detects it and chooses to combine dictionaries <id1> and <id3> for encoding. Client build combined dictionary based on "SDCHx-Used-Dictionary-Id" list and uses it for decoding.This will allow deploy this feature on subset of clients. E.g. with experiment-per-platform. Or client can decide to use it based on workload (and available resources e.g. memory).We'd probably use this for the use case of JS/CSS (for example if we decided to combine two packages together we might want to do a diff from both of them).
One thing I wonder is if it would be worth trying to implement SDCHx using a service worker. There's a lot of complexity to this concept -- cross origin access, pattern matching, allowing a website to remotely delete things from the cache. The main advantage of a native implementation seems like the native implementation of VCDIFF, but vcdiff decoding is fairly efficient. Even if it can't be done in raw JS specing out a VCDIFF api seems much more contained than specing out SDCH. This would allow sophisticated sites like Yandex, Google and Facebook to experiment with the right API for SDCH. Eventually the client/server interface could be standardized (advanced users might always roll their own).-bUnfortunately I know almost nothing about Service Workers capabilities. But if it's possible to implement sdchx using Service Workers I'm all in. Quick search found https://github.com/plotnikoff/vcdiff.js vcdiff encoding/decoding library in pure javascript. It's not complete (e.g. there is no Adler checksum) but looks like a good start.In theory it should be totally possible to implement sdch in SW. It gives you enough control over the cache, etc to implement it.
FWIW this is why I think SW is a strength -- it lets the site implement any algorithm it chooses. For example, maybe we send a X-SDCHx-Tag with every JS/CSS file and then have a dictionary that says "file X is likely to match things with tags A or B".Erm. Can you explain more? I don't really understand how SDCHx-Tag can apply.
Related pattern might still be needed for things like HTML where you can't easily specify a tag. But tags provide more flexibility when the path might not be helpful in figuring out the exact content match.
--
Bacek
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/99471467262546%40webcorp01e.yandex-team.ru.
I'm excited about this work, and would be happy to see a new spec developed remedying some of the flaws of the current spec. There's a fair amount in here that I don't feel competent to comment on (like RFC 3229; that's a very old spec that I haven't heard of being implemented, which makes me worried it's got problems--what's its current status?), but a couple of points/questions:
* This should be shared with the Google group for SDCH spec discussions (cc'd :-}).* I'm no expert on CORS, but it looks to me as if there's an ambiguity in how Access-Control-Allow-Origin is being used (in Response 1) as to whether it applies to the response body (unencoded and being returned) or the dictionary listed in the Get-Dictionary header. I'd naively expect it to apply to the response body; it seems weird to hijack it for the dictionary header. Maybe it should be in the Response 2 headers?
* From an implementation POV I think Chromium would be uncomfortable relying on an unsupported open source library (yes, we're currently doing it, but it's a part of why there's been less than full excitement coming from this direction about SDCH). If a security bug comes up, there's no guarantee that it'll be noticed or patched quickly. So it's an implementation issue, but the lack of current support for openvcdiff is a problem in that space.
* If we're seriously thinking of using arbitrary resources as dictionaries, I think we should work out how a couple of examples would most naturally be implemented and make sure we're not specing ourselves into an implementation corner. I'm specifically concerned about a) encoding a URL response with the contents of the previous URL response, and b) a proliferation of data structures with memory costs in the client (or server :-}) because of a semi-arbitrary use of resources as dictionaries. Both client and server have full control over what they advertise, so it wouldn't be a problem building spec-compliant clients & servers, but it might be a disappointment if a server implemented this in order to support some particular usage model, and clients avoided it like the plague because of implementation complexity.
--
You received this message because you are subscribed to the Google Groups "SDCH" group.
To unsubscribe from this group and stop receiving emails from it, send an email to SDCH+uns...@googlegroups.com.
To post to this group, send email to SD...@googlegroups.com.
Visit this group at https://groups.google.com/group/SDCH.
For more options, visit https://groups.google.com/d/optout.
* In past discussions, the primary thing that I wanted to avoid was a distinct dictionary download, that any resource could be declared as a "possible future dictionary". The current SDCH spec made this impossible.
* I'd be happier if dictionaries were like other resources and a "Remove Dictionary" did not exist.
* The original implementation of SDCH in Chrome is very specialized to its original use case (hard limit on dictionary sizes, dictionaries were loaded early into memory and pinned there, etc). I wasn't clear on what if any changes would be reasonably be accepted and if there was any future in SDCH at all.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/396231468014201%40webcorp01d.yandex-team.ru.
One issue I haven't seen raised: CORS is a web platform feature (And so implemented way above net/, and only defined relative to HTML/DOM objects, and their relationships to each other), which SDCH is an HTTP-layer feature (And so implemented mostly within net/). It seems strange to bring duplicated CORS-like behavior down into the network stack, which has no notion of same-site and cross-site requests.
On Mon, Jul 11, 2016 at 10:51 AM, Matt Menke <mme...@chromium.org> wrote:One issue I haven't seen raised: CORS is a web platform feature (And so implemented way above net/, and only defined relative to HTML/DOM objects, and their relationships to each other), which SDCH is an HTTP-layer feature (And so implemented mostly within net/). It seems strange to bring duplicated CORS-like behavior down into the network stack, which has no notion of same-site and cross-site requests.I'm not sure the position you're taking here, Matt.Are you saying that SDCHx should not be explained in terms of Fetch semantics (because Fetch is above //net)? Or that we shouldn't implement a duplicate pseudo-Fetch scheme?I wholeheartedly agree that we should not duplicate a pseudo-Fetch scheme, if that is the position. Further, if we cannot explain SDCHx in terms of Fetch, then it creates a system where a Service Worker necessarily could not polyfill any SDCH semantics, because a Service Worker will be confined to Fetch semantics, and they're necessarily less-capable than "raw" requests - on the basis of security.
I think there's also a general zeitgeist that we should not be introducing new Web request mechanisms that cannot be explained, in some way, via Fetch, due to the implications in reasoning about the security model and interaction model with the rest of the Web platform.
This highlights a tension between "Is SDCHx a network-level feature (like HTTP) or a web platform feature (like, say, network error logging)". I'm wholly sympathetic to the argument that there are and will be non-browser implementations of SDCHx, and so Fetch is not relevant to them. However, I think it's a fairly hard MUST that any browser-based implementation of SDCHx can be expressed or implemented in terms of Fetch, and so if the spec goes a non-Fetch route, then it MUST have sufficient hooks to be implemented via Fetch.
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CACvaWvYu4exdOnF-o%3D7EBfkwhq9b-iL6N5hP-y9r63sF__tQnw%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "net-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to net-dev+u...@chromium.org.
To post to this group, send email to net...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/net-dev/CACvaWvYu4exdOnF-o%3D7EBfkwhq9b-iL6N5hP-y9r63sF__tQnw%40mail.gmail.com.
My concern is that Content-Encoding/decoding is part of HTTP semantics, and now we're trying to bring non-HTTP behavior to it.
What does this mean in the case of Cronet, for instance, which just issues HTTP requests divorced from any HTML/Javascript/DOM?
In some cases, hosting web platform behavior, or subsets of it, up into HTTP can make some sense (Like Referrer-Policy, for redirects), but in others, like this one, it's more confusing - what is a CORS request, what isn't? net/ doesn't even have any concept of it. It does have some rather disturbing logic about magically using another socket pool when it sets PRIVACY_MODE_ENABLED to true, but it's a mistake to think this has any relationship to CORS - requests that send cookies but do not set them, for instance, enables this bit. Building on top of something that's already broken just leads to more problems down the line.
I think there's also a general zeitgeist that we should not be introducing new Web request mechanisms that cannot be explained, in some way, via Fetch, due to the implications in reasoning about the security model and interaction model with the rest of the Web platform.It can't be explained via Fetch, for the simple reason that what the browser does in the case of "Content-Encoding: sdch, gzip" is not well defined, in the case the browser supports gzip, but not sdch (Or at least behavior is not defined to the extent of my knowledge. Skimming over the Fetch spec, I'm having trouble finding anything about decoding of the body). That would also lead to quite a few problems with trying to implement this via Service Worker.
On Mon, Jul 11, 2016 at 11:39 AM, Matt Menke <mme...@chromium.org> wrote:My concern is that Content-Encoding/decoding is part of HTTP semantics, and now we're trying to bring non-HTTP behavior to it.I don't think I'd agree that we're binding non-HTTP behaviour.I see there being two parts to SDCHx - the processing of when a dictionary is available, and obtaining a dictionary when advertised. Those two are separable parts.For example, it's entirely possible to implement SDCH today w/o fetching the dictionaries, if an application (such as Cronet) were to ship "prebuilt" dictionaries. A browser would, presumably, not do this, but there's nothing preventing non-browser clients from optimizing like this, particularly in situations where the dictionary may not change often. It's indistinguishable from "preloading" the HTTP cache, if that helps to think of it.I was simply suggesting that the SDCHx processing model (that is, things like the actual decoding) be separate from the "Go get new dictionaries". The "Go get new dictionaries" necessarily MUST be compatible with the Web Platform model - I cannot see us shipping a new feature in a browser that doesn't abide by the basics of request security - we've seen too many problems from that (as in the case of plugins, for example).
What does this mean in the case of Cronet, for instance, which just issues HTTP requests divorced from any HTML/Javascript/DOM?I thought I already addressed this in my reply.
In some cases, hosting web platform behavior, or subsets of it, up into HTTP can make some sense (Like Referrer-Policy, for redirects), but in others, like this one, it's more confusing - what is a CORS request, what isn't? net/ doesn't even have any concept of it. It does have some rather disturbing logic about magically using another socket pool when it sets PRIVACY_MODE_ENABLED to true, but it's a mistake to think this has any relationship to CORS - requests that send cookies but do not set them, for instance, enables this bit. Building on top of something that's already broken just leads to more problems down the line.I'm not sure what you're considering the thing "that's already broken", but I feel this is a bit of a non-sequitor. Perhaps I've misunderstood your concern.
I think there's also a general zeitgeist that we should not be introducing new Web request mechanisms that cannot be explained, in some way, via Fetch, due to the implications in reasoning about the security model and interaction model with the rest of the Web platform.It can't be explained via Fetch, for the simple reason that what the browser does in the case of "Content-Encoding: sdch, gzip" is not well defined, in the case the browser supports gzip, but not sdch (Or at least behavior is not defined to the extent of my knowledge. Skimming over the Fetch spec, I'm having trouble finding anything about decoding of the body). That would also lead to quite a few problems with trying to implement this via Service Worker.I would disagree that it *cannot* be defined.If we accept the browser supports gzip, but not SDCH, then it wouldn't have sent it in Accept-Encoding, and so such a situation would be as meaningless as "Content-Encoding: sleevi-rocks, gzip"There's no question that a Service Worker (or Fetch client) can't modify Accept-Encoding to *add* SDCH - Accept-Encoding is a forbidden header ( https://fetch.spec.whatwg.org/#forbidden-header-name ) for precisely this reason)I think you've confused what I meant by "Explained in terms of Fetch". I'm specifically speaking about any sub-resource fetches (specifically: dictionary fetches) that occur, being implemented in terms of Fetch, much like rel="preload" is a hint to load a resource, and ensuring that any scope of dictionary use abide by the SOP.
It's worth noting that cross-origin dictionaries aren't allowed (For some definition of origin that may or may not currently match the normal definition - if it doesn't, it should be fixed),
Currently, only the dictionary itself doesn't use CORS, but only requests that pass CORS logic can download/use it.
You touched on the issue's existence, but didn't seem to actually address it.
It's perhaps more of an implementation concern, but I don't believe we should be implementing anything that depends on whether a request is CORS or not in the browser process unless/until we actually have a concept of CORS there that is consistent with the concept in the renderer process. PRIVACY_MODE in no way fulfills this requirement, since it's based on the union of several flags being set, instead of their intersection.
I think I'm still confused by what you meant by "explained in terms of Fetch" (And "SDCHx can be expressed or implemented in terms of Fetch" - I think we're agreed implementation isn't possible, per Fetch spec).
Also, does your "SOP" include sending dictionary requests through ServiceWorker / AppCache?
On Mon, Jul 11, 2016 at 1:30 PM, Matt Menke <mme...@chromium.org> wrote:It's worth noting that cross-origin dictionaries aren't allowed (For some definition of origin that may or may not currently match the normal definition - if it doesn't, it should be fixed),To be explicit: It doesn't. It uses cookie's model of 'origin', which is bad, and should feel bad. Further, there was the suggestion earlier on this thread of expanding that definition, something I consider a MUST NOT.Currently, only the dictionary itself doesn't use CORS, but only requests that pass CORS logic can download/use it.That's not true, because of the above.You touched on the issue's existence, but didn't seem to actually address it.Apologies. To be explicit, I'm suggesting that if a hypothetical SDCHx spec wanted to permit Fetch to be integrated, then the method of accomodating that is to be extremely careful about prescribing the means of obtaining the dictionary resource, such that, as implemented in Web Browsers, a Web Browser could apply a Fetch-level filter.Put into different terminology, I"m suggesting it mirrors the way in which we've been trying to break the existing SDCH circular dependencies. The //net layer would report that a dictionary has been advertised, it would filter up to the higher layer to make a policy decision about whether to allow that dictionary to be fetched, and then go down.If dictionaries were truly SOP (same scheme, same host, same port) - that is, no cookies nonsense, no document.domain nonsense, a true SOP - then AIUI, the need for CORS is obviated because it's by definition no longer cross-origin.But even if the need for *CORS* is obviated, I think it's still unwise/unacceptable to have the dictionary *load* go through a separate networking stack than other subresource requests. This is what I mean by Fetch integration. An advertised SDCH dictionary should not be fetched any differently than a rel="preload" / rel="prefetch" / img src="" resource - utilizing the same behaviours, flags, controls, and interaction models.It's perhaps more of an implementation concern, but I don't believe we should be implementing anything that depends on whether a request is CORS or not in the browser process unless/until we actually have a concept of CORS there that is consistent with the concept in the renderer process. PRIVACY_MODE in no way fulfills this requirement, since it's based on the union of several flags being set, instead of their intersection.Apologies if it was not clearer, but "explaining in terms of Fetch" is more than just "use CORS".I think I'm still confused by what you meant by "explained in terms of Fetch" (And "SDCHx can be expressed or implemented in terms of Fetch" - I think we're agreed implementation isn't possible, per Fetch spec).Also, does your "SOP" include sending dictionary requests through ServiceWorker / AppCache?Yes and no. No, because that's not SOP (scheme/host/port). Yes, because that's Fetch - interacting with the same networking stack.Fetch is, roughly, the ResourceLoader layer... ish.
But I also want to be clear, since it sounds like you're in the "ServiceWorker isn't good enough for SDCH" position - the suggestion of ServiceWorker/Fetch earlier, from Ben and echo'd by myself, does not require munging about with Content-Encoding/Accept-Encoding to be able to polyfill. It's about using a Service Worker to intercept the Fetch requests and apply the necessary transforms. Such a model intrinsically limits to same-origin, due to the opaque-dataness of cross-origin requests, but that's a Good Thing(tm), because SDCH shouldn't be cross-origin.That said, we're probably at a length in the thread where there's enough miscommunication that it may be worth restarting with first principles, so we don't get too lost into the weeds and can figure out where the fundamental miscommunications are.
One issue I haven't seen raised: CORS is a web platform feature (And so implemented way above net/, and only defined relative to HTML/DOM objects, and their relationships to each other), which SDCH is an HTTP-layer feature (And so implemented mostly within net/). It seems strange to bring duplicated CORS-like behavior down into the network stack, which has no notion of same-site and cross-site requests.
You touched on the issue's existence, but didn't seem to actually address it.Apologies. To be explicit, I'm suggesting that if a hypothetical SDCHx spec wanted to permit Fetch to be integrated, then the method of accomodating that is to be extremely careful about prescribing the means of obtaining the dictionary resource, such that, as implemented in Web Browsers, a Web Browser could apply a Fetch-level filter.Put into different terminology, I"m suggesting it mirrors the way in which we've been trying to break the existing SDCH circular dependencies. The //net layer would report that a dictionary has been advertised, it would filter up to the higher layer to make a policy decision about whether to allow that dictionary to be fetched, and then go down.If dictionaries were truly SOP (same scheme, same host, same port) - that is, no cookies nonsense, no document.domain nonsense, a true SOP - then AIUI, the need for CORS is obviated because it's by definition no longer cross-origin.But even if the need for *CORS* is obviated, I think it's still unwise/unacceptable to have the dictionary *load* go through a separate networking stack than other subresource requests. This is what I mean by Fetch integration. An advertised SDCH dictionary should not be fetched any differently than a rel="preload" / rel="prefetch" / img src="" resource - utilizing the same behaviours, flags, controls, and interaction models.