-
Notifications
You must be signed in to change notification settings - Fork 336
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fetch abort & no-cors requests #563
Comments
To be extra clear, the new feature relative to XMLHttpRequest is the ability to abort while an opaque response is being received (XMLHttpRequest would have gotten a network error at that point due to CORS). Aborting during the "requesting part" was already possible. I think header truncation is a solved problem at this point in that you simply get a network error if they are incomplete. HTTP cache interaction might also be worth touching on, in particular with respect to the recent refactoring efforts there. The easiest would be to simply not cache erred responses, at least not until we offer APIs around range requests and the like. |
Incomplete responses can be stored as partial responses and then completed later (with validation), but we decided to punt on partial caching support, so probably best to call it an error and skip the cache (unless the cache decides to support partial). See also: |
Is this similar to adding a cross-origin iframe which starts an img/script/etc load and then removing the iframe before the load completes? I know we cancel if the user closes a tab. I'm just wondering if similar cancelation happens on iframe removal which would be script controlled. |
Another possible way this could happen today:
|
In both those cases you can't really inspect the resulting |
I shared this issues with our security folks and we couldn't find any security issues with this. |
Aborting fetch introduces a new capability: aborting 'no-cors' fetches.
Connections can already terminate as the result of connections dropping, but now the timing & control of this is available to the developer. Although, since the response is being read in another thread, the timing of actual cancellation isn't completely predictable.
tc39/proposal-cancelable-promises#4 is the first time the issue was raised that aborting a fetch might result in a partial response and that for opaque responses that could potentially be problematic.
Possible attacks:
The browser will know the response stream ended in error, so it can avoid executing non-streaming formats like JS and CSS (if we assume CSS isn't streaming), but is there an issue with allowing a mid-response abort of streaming responses like img, audio, video?
Related issues:
The text was updated successfully, but these errors were encountered: