-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sec-Fetch-User is not detailed enough #23
Comments
Indeed. It's quite hand-wavy at the moment. The requests I care most about are navigational requests, and the approach sketched out in the spec assumes that we'd check the user activation status in HTML's navigation algorithm, and pass it on to Fetch. For subresource requests, the implementation behind a flag in Chrome is currently hard-coded to In the spec, I expect we'd continue to rely on /cc @arturjanc, as we've talked about this a little bit in the past. |
As a bit of a tangent: after Chrome implements |
This patch: * Locks `Sec-Fetch-User` to navigation requests. * Drops the header when it's `false`. * Sketches out monkeypatches to Fetch and HTML in a little more detail so that we can have a more focused discussion around the integration points we'll want in the future. Fixes #19. Partially addresses #23.
In 79938e0, I've locked the header to navigation requests (in https://mikewest.github.io/sec-metadata/#sec-fetch-user-header), and done a little work to explain the integration between Fetch and HTML in (https://mikewest.github.io/sec-metadata/#fetch-integration). Do those look like patches you'd consider accepting against those documents, @annevk? |
That is probably reasonable, yes. Assuming navigate hasn't gone in parallel by the time you do the "triggered by user activation" check. |
As per the conversation in w3c/webappsec-fetch-metadata#23 and w3c/webappsec-fetch-metadata#19, this patch drops the `Sec-Fetch-User` header for non-navigational requests, and for navigational requests that are not user-activated. Bug: 947444 Change-Id: Ica4846bda6ccf4e8bce1323803954f4fef9c18a3
Ok. Tests are being updated in https://chromium-review.googlesource.com/c/chromium/src/+/1545871 (WPT: web-platform-tests/wpt#16148). I'll close this out once that lands, and punt the subresource discussion to #26. |
As per the conversation in w3c/webappsec-fetch-metadata#23 and w3c/webappsec-fetch-metadata#19, this patch drops the `Sec-Fetch-User` header for non-navigational requests, and for navigational requests that are not user-activated. Bug: 947444 Change-Id: Ica4846bda6ccf4e8bce1323803954f4fef9c18a3
As per the conversation in w3c/webappsec-fetch-metadata#23 and w3c/webappsec-fetch-metadata#19, this patch drops the `Sec-Fetch-User` header for non-navigational requests, and for navigational requests that are not user-activated. Bug: 947444 Change-Id: Ica4846bda6ccf4e8bce1323803954f4fef9c18a3
As per the conversation in w3c/webappsec-fetch-metadata#23 and w3c/webappsec-fetch-metadata#19, this patch drops the `Sec-Fetch-User` header for non-navigational requests, and for navigational requests that are not user-activated. Bug: 947444 Change-Id: Ica4846bda6ccf4e8bce1323803954f4fef9c18a3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1545871 Reviewed-by: Alex Moshchuk <[email protected]> Commit-Queue: Mike West <[email protected]> Cr-Commit-Position: refs/heads/master@{#646086}
As per the conversation in w3c/webappsec-fetch-metadata#23 and w3c/webappsec-fetch-metadata#19, this patch drops the `Sec-Fetch-User` header for non-navigational requests, and for navigational requests that are not user-activated. Bug: 947444 Change-Id: Ica4846bda6ccf4e8bce1323803954f4fef9c18a3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1545871 Reviewed-by: Alex Moshchuk <[email protected]> Commit-Queue: Mike West <[email protected]> Cr-Commit-Position: refs/heads/master@{#646086}
As per the conversation in w3c/webappsec-fetch-metadata#23 and w3c/webappsec-fetch-metadata#19, this patch drops the `Sec-Fetch-User` header for non-navigational requests, and for navigational requests that are not user-activated. Bug: 947444 Change-Id: Ica4846bda6ccf4e8bce1323803954f4fef9c18a3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1545871 Reviewed-by: Alex Moshchuk <[email protected]> Commit-Queue: Mike West <[email protected]> Cr-Commit-Position: refs/heads/master@{#646086}
web-platform-tests/wpt#16148 was merged over the weekend. |
…vated, navigational requests., a=testonly Automatic update from web-platform-tests Send `Sec-Fetch-User` only for user-activated, navigational requests. As per the conversation in w3c/webappsec-fetch-metadata#23 and w3c/webappsec-fetch-metadata#19, this patch drops the `Sec-Fetch-User` header for non-navigational requests, and for navigational requests that are not user-activated. Bug: 947444 Change-Id: Ica4846bda6ccf4e8bce1323803954f4fef9c18a3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1545871 Reviewed-by: Alex Moshchuk <[email protected]> Commit-Queue: Mike West <[email protected]> Cr-Commit-Position: refs/heads/master@{#646086} -- wpt-commits: b93752a06f9498f774aed288663259cd738f1a7c wpt-pr: 16148
…vated, navigational requests., a=testonly Automatic update from web-platform-tests Send `Sec-Fetch-User` only for user-activated, navigational requests. As per the conversation in w3c/webappsec-fetch-metadata#23 and w3c/webappsec-fetch-metadata#19, this patch drops the `Sec-Fetch-User` header for non-navigational requests, and for navigational requests that are not user-activated. Bug: 947444 Change-Id: Ica4846bda6ccf4e8bce1323803954f4fef9c18a3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1545871 Reviewed-by: Alex Moshchuk <[email protected]> Commit-Queue: Mike West <[email protected]> Cr-Commit-Position: refs/heads/master@{#646086} -- wpt-commits: b93752a06f9498f774aed288663259cd738f1a7c wpt-pr: 16148
As per the conversation in w3c/webappsec-fetch-metadata#23 and w3c/webappsec-fetch-metadata#19, this patch drops the `Sec-Fetch-User` header for non-navigational requests, and for navigational requests that are not user-activated. Bug: 947444 Change-Id: Ica4846bda6ccf4e8bce1323803954f4fef9c18a3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1545871 Reviewed-by: Alex Moshchuk <[email protected]> Commit-Queue: Mike West <[email protected]> Cr-Commit-Position: refs/heads/master@{#646086}
…vated, navigational requests., a=testonly Automatic update from web-platform-tests Send `Sec-Fetch-User` only for user-activated, navigational requests. As per the conversation in w3c/webappsec-fetch-metadata#23 and w3c/webappsec-fetch-metadata#19, this patch drops the `Sec-Fetch-User` header for non-navigational requests, and for navigational requests that are not user-activated. Bug: 947444 Change-Id: Ica4846bda6ccf4e8bce1323803954f4fef9c18a3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1545871 Reviewed-by: Alex Moshchuk <alexmoschromium.org> Commit-Queue: Mike West <mkwstchromium.org> Cr-Commit-Position: refs/heads/master{#646086} -- wpt-commits: b93752a06f9498f774aed288663259cd738f1a7c wpt-pr: 16148 UltraBlame original commit: 595f9f3aa36e9e4e5c8f120d7349c2965613814d
…vated, navigational requests., a=testonly Automatic update from web-platform-tests Send `Sec-Fetch-User` only for user-activated, navigational requests. As per the conversation in w3c/webappsec-fetch-metadata#23 and w3c/webappsec-fetch-metadata#19, this patch drops the `Sec-Fetch-User` header for non-navigational requests, and for navigational requests that are not user-activated. Bug: 947444 Change-Id: Ica4846bda6ccf4e8bce1323803954f4fef9c18a3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1545871 Reviewed-by: Alex Moshchuk <alexmoschromium.org> Commit-Queue: Mike West <mkwstchromium.org> Cr-Commit-Position: refs/heads/master{#646086} -- wpt-commits: b93752a06f9498f774aed288663259cd738f1a7c wpt-pr: 16148 UltraBlame original commit: 595f9f3aa36e9e4e5c8f120d7349c2965613814d
…vated, navigational requests., a=testonly Automatic update from web-platform-tests Send `Sec-Fetch-User` only for user-activated, navigational requests. As per the conversation in w3c/webappsec-fetch-metadata#23 and w3c/webappsec-fetch-metadata#19, this patch drops the `Sec-Fetch-User` header for non-navigational requests, and for navigational requests that are not user-activated. Bug: 947444 Change-Id: Ica4846bda6ccf4e8bce1323803954f4fef9c18a3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1545871 Reviewed-by: Alex Moshchuk <alexmoschromium.org> Commit-Queue: Mike West <mkwstchromium.org> Cr-Commit-Position: refs/heads/master{#646086} -- wpt-commits: b93752a06f9498f774aed288663259cd738f1a7c wpt-pr: 16148 UltraBlame original commit: 595f9f3aa36e9e4e5c8f120d7349c2965613814d
E.g., if I change the
src
of an<img>
element in response to a click, does that count? What if I invokedfetch()
instead? (Note that in case of the latter putting state on requests isn't the way to go.)The text was updated successfully, but these errors were encountered: