orb icon indicating copy to clipboard operation
orb copied to clipboard
verified publisher icon annevk

Restrict fetch(..., { mode: "no-cors" }) more

Open annevk opened this issue 5 years ago • 0 comments

We based what fetch() with no-cors can do upon CORS, but while that makes sense for requests, it doesn't make a whole lot of sense for responses now that opaque response has lost some of its meaning due to Spectre.

This was previously discussed in https://github.com/w3c/ServiceWorker/issues/1509. It seems easy to have an early block if request's method was not GET.

I don't know if we want to do anything about request headers, though it does seem kind of suspicious if a GET comes with a Content-Type header it also doesn't seem like the kind of thing a server would trip over (famous last words?).

cc @jakearchibald

Related bugs (some hidden, but it was long ago decided to disclose this):

  • https://bugzilla.mozilla.org/show_bug.cgi?id=1513498
  • https://bugs.webkit.org/show_bug.cgi?id=192628
  • https://bugs.chromium.org/p/chromium/issues/detail?id=914301

annevk avatar Jan 27 '21 08:01 annevk