Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add unsafe-no-cors mode #1533

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 57 additions & 8 deletions fetch.bs
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,10 @@ urlPrefix:https://tc39.es/ecma262/#;type:dfn;spec:ecma-262
url:sec-list-and-record-specification-type;text:Record
</pre>

<pre class=link-defaults>
spec:infra; type:dfn; text:user agent
</pre>

<pre class=biblio>
{
"HTTP": {
Expand Down Expand Up @@ -1773,8 +1777,8 @@ to not have to set <a for=/>request</a>'s <a for=request>referrer</a>.
<p>A <a for=/>request</a> has an associated
<dfn export for=request id=concept-request-mode>mode</dfn>, which is
"<code>same-origin</code>", "<code>cors</code>", "<code>no-cors</code>",
"<code>navigate</code>", or "<code>websocket</code>". Unless stated otherwise, it is
"<code>no-cors</code>".
"<code>navigate</code>", "<code>user-agent-no-cors</code>", or "<code>websocket</code>".
Unless stated otherwise, it is "<code>no-cors</code>".

<div class="note no-backref">
<dl>
Expand All @@ -1796,15 +1800,38 @@ to not have to set <a for=/>request</a>'s <a for=request>referrer</a>.
<dt>"<code>navigate</code>"
<dd>This is a special mode used only when <a>navigating</a> between documents.

<dt>"<code>user-agent-no-cors</code>"
<dd>This is a special mode for the [=user agent=] to use internally to wittingly make
requests that are unsafe. It restricts a <a for=/>request</a> to using <a>CORS-safelisted methods</a>,
<a>CORS-safelisted request-headers</a>, and the <a for=/>request</a> must have a <a>parallel queue</a>
<a for="fetch params">task destination</a>. A <a for=/>request</a> with this mode cannot use
<a>service-workers mode</a> "<code>all</code>". However, the request will not be required to
pass a <a>cross-origin resource policy check</a> or to test if
<a>Cross-Origin-Embedder-Policy allows credentials</a>. Upon success a fetch will
return a <a>basic filtered response</a>.

<p class=warning> Using <a for=/>request</a> <a for=request>mode</a> "<code>user-agent-no-cors</code>"
is even more discouraged and unsafe than "<code>no-cors</code>". Any use of this mode must be
memory-isolated to the [=user agent=] to contain its results and prevent their disclosure or misuse.
This <a for=request>mode</a> is deliberately not exposed in the {{RequestMode}}.

<dt>"<code>websocket</code>"
<dd>This is a special mode used only when
<a spec=websockets lt="establish a WebSocket connection">establishing a WebSocket connection</a>.
</dl>

<p>Even though the default <a for=/>request</a> <a for=request>mode</a> is "<code>no-cors</code>",
standards are highly discouraged from using it for new features. It is rather unsafe.


</div>

<p>A <a for=/>request</a> has an associated
<dfn for=request>omit origin flag</dfn>. Unless stated otherwise it is unset.

<p class="note no-backref">The <a for=request>omit origin flag</a> only has effect when
<a for=/>request</a>'s <a for=request>mode</a> is "<code>user-agent-no-cors</code>".

<p>A <a for=/>request</a> has an associated
<dfn id=use-cors-preflight-flag export for=request>use-CORS-preflight flag</dfn>. Unless stated
otherwise, it is unset.
Expand Down Expand Up @@ -3074,8 +3101,9 @@ given a <a for=/>request</a> <var>request</var>, run these steps:
with <var>request</var>.

<li><p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>cors</code>" or
<var>request</var>'s <a for=request>mode</a> is "<code>websocket</code>", then
<a for="header list">append</a> (`<code>Origin</code>`, <var>serializedOrigin</var>) to
<var>request</var>'s <a for=request>mode</a> is "<code>websocket</code>" or
"<code>user-agent-no-cors</code>", then <a for="header list">append</a>
(`<code>Origin</code>`, <var>serializedOrigin</var>) to
<var>request</var>'s <a for=request>header list</a>.

<li>
Expand Down Expand Up @@ -3981,6 +4009,10 @@ the request.
<p><a for=/>Assert</a>: <var>request</var>'s <a for=request>mode</a> is "<code>navigate</code>" or
<var>processEarlyHintsResponse</var> is null.

<p>If <var>fetchParams</var>'s <a for="fetch params">request</a>'s <a for=request>mode</a> is
"<code>user-agent-no-cors</code>": <a for=/>assert</a>: <var>fetchParams</var>'s
<a for="fetch params">task destination</a> is a <a for=/>parallel queue</a>.

<p class=note>Processing of early hints (<a for=/>responses</a> whose <a for=response>status</a>
is 103) is only vetted for navigations.

Expand Down Expand Up @@ -4039,7 +4071,9 @@ the request.
<a for="environment settings object">global object</a> is a {{Window}} object; otherwise
"<code>no-window</code>".

<li><p>If <var>request</var>'s <a for=request>origin</a> is "<code>client</code>", then set
<li><p>If <var>request</var>'s <a for=request>origin</a> is "<code>client</code>" and either
<var>request</var>'s <a for=request>mode</a> is not "<code>user-agent-no-cors</code>" or
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an "or and" in this sentence (and I cannot decide whether it should be "or" or "and")

and <var>request</var>'s <a for=request>omit origin flag</a> is unset, then set
<var>request</var>'s <a for=request>origin</a> to <var>request</var>'s <a for=request>client</a>'s
<a for="environment settings object">origin</a>.

Expand All @@ -4051,7 +4085,7 @@ the request.
<a>HTTP(S) scheme</a>

<li><p><var>request</var>'s <a for=request>mode</a> is "<code>same-origin</code>",
"<code>cors</code>", or "<code>no-cors</code>"
"<code>cors</code>", "<code>no-cors</code>", or "<code>user-agent-no-cors</code>"

<li><p><var>request</var>'s <a for=request>window</a> is not null

Expand All @@ -4066,7 +4100,8 @@ the request.
<ol>
<li><p><a for=/>Assert</a>: <var>request</var>'s <a for=request>origin</a> is <a>same origin</a>
with <var>request</var>'s <a for=request>client</a>'s
<a for="environment settings object">origin</a>.
<a for="environment settings object">origin</a> or <var>request</var>'s <a for=request>mode</a>
is "<code>user-agent-no-cors</code>".

<li><p>Let <var>onPreloadedResponseAvailable</var> be an algorithm that runs the following
step given a <a for=/>response</a> <var>response</var>: set <var>fetchParams</var>'s
Expand Down Expand Up @@ -4302,6 +4337,15 @@ steps:
<li><p>Return <var>corsWithPreflightResponse</var>.
</ol>

<dt><var>request</var>'s <a for=request>mode</a> is "<code>user-agent-no-cors</code>"
<dd>
<ol>
<li><p>Set <var>request</var>'s <a for=request>response tainting</a> to
"<code>basic</code>".

<li><p>Return the result of running <a>HTTP fetch</a> given <var>fetchParams</var>.
</ol>

<dt>Otherwise
<dd>
<ol>
Expand Down Expand Up @@ -4788,6 +4832,8 @@ these steps:
<li><p><var>request</var>'s <a for=request>mode</a> is not "<code>no-cors</code>" and
<var>response</var>'s <a for=response>type</a> is "<code>opaque</code>"

<li><p><var>request</var>'s <a for=request>mode</a> is "<code>user-agent-no-cors</code>"

<li><var>request</var>'s <a for=request>redirect mode</a> is not "<code>manual</code>" and
<var>response</var>'s <a for=response>type</a> is "<code>opaqueredirect</code>"

Expand Down Expand Up @@ -5144,7 +5190,9 @@ run these steps:
<var>httpRequest</var>'s <a for=request>header list</a>.
</ol>

<li><p><a>Append a request `<code>Origin</code>` header</a> for <var>httpRequest</var>.
<li>If either <var>request</var>'s <a for=request>mode</a> is not "<code>user-agent-no-cors</code>"
or <var>request</var>'s <a for=request>omit origin flag</a> is not set,
<p><a>append a request `<code>Origin</code>` header</a> for <var>httpRequest</var>.

<li><p><a abstract-op lt="append the Fetch metadata headers for a request">Append the Fetch metadata headers for <var>httpRequest</var></a>.
[[!FETCH-METADATA]]
Expand Down Expand Up @@ -8303,6 +8351,7 @@ Axel Rauschmayer,
Ben Kelly,
Benjamin Gruenbaum,
Benjamin Hawkes-Lewis,
Benjamin VanderSloot,
Bert Bos,
Björn Höhrmann,
Boris Zbarsky,
Expand Down