-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Be a bit more explicit about which subresources are to be ignored from stylesheets #200
Comments
Concluded on the call: even if B and C are same-origin, they should not be exposed |
Per W3C call on 8/1, we need to add tests and spec language to ensure browsers are able to implement properly. |
I just spent some time thinking of a language that would allow us to hand wavily define this without saying "dependency trees" which are a big and loaded term... Ideas welcome! :) |
Anne - I'd appreciate ideas on how we can know in Fetch that a resource was fetched by no-cors CSS @jakearchibald @wanderview - Thoughts? Did y'all define this for SWs? |
This is still tracked here w3c/ServiceWorker#719 for SW and we haven't defined it. |
Cross-origin no-cors CSS, right? CSS could set request's service-workers mode to "none" for such requests. I suppose it could also set request's timing allow failed flag and things would work out, but we might want to make it a bit clearer that's a flag a user of fetch could set as currently it's described as an internal detail. |
Indeed!
I don't think that's sufficient, as we want those URLs to not be reported at all, while TAO would just reduce the information they expose. |
Good point, yeah, either that or we turn the timings thing into a tri-state. It strikes me that what @noamr is adding to Fetch doesn't allow for not reporting at the moment. |
If we had such a flag, that's something that we could include, and avoid queueing an entry in those cases. |
Note: Currently CSS @import processing is defined only in prose. I believe it needs to be define in terms of fetch or refer back to the HTML |
Depends on w3c/csswg-drafts#562 |
Should be fixed by w3c/csswg-drafts#6715 |
Closing now that w3c/csswg-drafts#6715 is merged. |
The spec currently says "If the resource is fetched by a cross-origin stylesheet which was fetched with no-cors policy, abort the remaining steps." This seems to mean that all subresources from such stylesheet should be ignored. But the current wording could be interpreted as only direct fetches from the stylesheet. For example, consider this fetch chain:
stylesheet A -> stylesheet B -> resource C
In this case, when A is no-cors cross-origin, I believe C's RT information should not be exposed, and we should make this clear.
The text was updated successfully, but these errors were encountered: