PSA: Enforce CORS in subresource SignedExchange prefetching
32 views
Skip to first unread message
Kunihiko Sakamoto
Aug 8, 2022, 1:25:25 AM8/8/22
to blink-dev
Contact emails
ksak...@chromium.orgSpecification
https://wicg.github.io/webpackage/loading.html#mp-link-type-prefetchSummary
Changes the request mode and credentials mode of prefetch requests used in Subresource prefetching+loading via Signed HTTP Exchange (https://chromestatus.com/feature/5126805474246656). Currently SignedExchange subresource prefetches (triggered by Link: rel="alternate") are requested with "no-cors" mode. After this change, SignedExchange subresource prefetches will be requested with "cors" mode and "same-origin" credentials mode. That means, subresource SignedExchanges prefetched from cross-origin must have an appropriate Access-Control-Allow-Origin response header.
Motivation
Using no-cors mode for subresource SignedExchange prefetching was not a well-thought-out decision. In principle new features shouldn't use no-cors. Also, no-cors prefetches will be blocked once ORB (Opaque Response Blocking) is fully enabled (https://github.com/annevk/orb/issues/32).
See https://github.com/WICG/webpackage/issues/790 for more details and alternatives considered.
See https://github.com/WICG/webpackage/issues/790 for more details and alternatives considered.
Blink component
Blink>Loader>WebPackagingDebuggability
If a SignedExchange prefetch fails with a CORS error, it will be reported on the DevTools' network tab and console.
Tracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=1316660Estimated milestones
Shipping on desktop: 106
Shipping on Android: 106Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5047867052392448
Domenic Denicola
Aug 8, 2022, 3:14:22 AM8/8/22
to Kunihiko Sakamoto, blink-dev
I'm really happy to see this change! It's important to hold the line on new web platform features being CORS-only, and big kudos to the team for doing this extra work.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAO5vZCiy144y0g6ChSt2t1e3YCZ7n7cGyFc-1b6AqARXWQcqAw%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages