fetch() should not allow redirects to data URIs




4 years ago
3 months ago


(Reporter: bkelly, Unassigned)


(Blocks 1 bug)

Firefox Tracking Flags

(Not tracked)




This probably effects other code as well since more things are using the fetch spec now.  See bug 1018872.
Wait, why do we want to disallow the redirect instead of just making it a opaque response?  There doesn't seem to be any actual reasoning to this effect in the github issue.

It seems to me like we should have as few special-cases in the platform as possible.  Just because Blink happens to special-case all sorts of URI schemes everywhere and hence is inconsistent in terms of which schemes it supports in which context doesn't mean that we should spec that behavior or force everyone else to implement such spaghetti special-casing.
Flags: needinfo?(annevk)

Comment 2

4 years ago
Does Blink really have that many special cases? I guess we could revert back to making it opaque. I figured that since we were planning on aligning with Blink with regards to data URLs we could align on this front as well, but perhaps that wasn't as a principled decision as it should have been.
Flags: needinfo?(annevk)
> Does Blink really have that many special cases?

As far as I can tell, it does, though they've been whack-a-moling them a bit.  They support various things from blob: URIs but not data: URIs, and it's totally inconsistent which things those are, and they keep changing it.

> I figured that since we were planning on aligning with Blink with regards to data URLs

With regard to their handling in iframes, no?  Not their entire insanity where they have to manually change every callsite that might be fetching a URI to specially handle data: and therefore handle it or not handle it in completely random ways!
This might have never been spec'd, but we should double check.

Comment 5

4 years ago
Note that I'm still not convinced this makes data URLs magic since either way the redirect logic in the specification will have to handle them explicitly (and that's only a single location, not every callsite), but as I mentioned I'm happy to change this back. Hopefully we can convince Chrome to do the same.
No longer blocks: ServiceWorkers-postv1
Priority: -- → P5
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.