Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fetch abort & no-cors requests #563

Closed
jakearchibald opened this issue Jul 10, 2017 · 6 comments
Closed

Fetch abort & no-cors requests #563

jakearchibald opened this issue Jul 10, 2017 · 6 comments
Labels
security/privacy There are security or privacy implications topic: streams

Comments

@jakearchibald
Copy link
Collaborator

jakearchibald commented Jul 10, 2017

Aborting fetch introduces a new capability: aborting 'no-cors' fetches.

// In a service worker:
addEventListener('fetch', event => {
  const controller = new AbortController();
  const signal = controller.signal;

  event.respondWith(
    fetch(whateverURL, {mode: 'no-cors', signal})
  );

  // Sometime later:
  controller.abort();
});

Connections can already terminate as the result of connections dropping, but now the timing & control of this is available to the developer. Although, since the response is being read in another thread, the timing of actual cancellation isn't completely predictable.

tc39/proposal-cancelable-promises#4 is the first time the issue was raised that aborting a fetch might result in a partial response and that for opaque responses that could potentially be problematic.

Possible attacks:

  • Header truncation
  • Partial data execution

The browser will know the response stream ended in error, so it can avoid executing non-streaming formats like JS and CSS (if we assume CSS isn't streaming), but is there an issue with allowing a mid-response abort of streaming responses like img, audio, video?

Related issues:

@annevk
Copy link
Member

annevk commented Jul 10, 2017

To be extra clear, the new feature relative to XMLHttpRequest is the ability to abort while an opaque response is being received (XMLHttpRequest would have gotten a network error at that point due to CORS). Aborting during the "requesting part" was already possible.

I think header truncation is a solved problem at this point in that you simply get a network error if they are incomplete.

HTTP cache interaction might also be worth touching on, in particular with respect to the recent refactoring efforts there. The easiest would be to simply not cache erred responses, at least not until we offer APIs around range requests and the like.

@annevk annevk added security/privacy There are security or privacy implications topic: streams labels Jul 10, 2017
@mnot
Copy link
Member

mnot commented Jul 10, 2017

Incomplete responses can be stored as partial responses and then completed later (with validation), but we decided to punt on partial caching support, so probably best to call it an error and skip the cache (unless the cache decides to support partial).

See also:
http://httpwg.org/specs/rfc7234.html#incomplete.responses

@wanderview
Copy link
Member

Is this similar to adding a cross-origin iframe which starts an img/script/etc load and then removing the iframe before the load completes? I know we cancel if the user closes a tab. I'm just wondering if similar cancelation happens on iframe removal which would be script controlled.

@wanderview
Copy link
Member

Another possible way this could happen today:

  1. Create a dedicated worker that does a large load.
  2. Worker.terminate() the worker while its in the middle of receiving data.

@annevk
Copy link
Member

annevk commented Jul 10, 2017

In both those cases you can't really inspect the resulting Response (and you end up aborting all kinds of other activity too such as the event loop and such). Worth keeping in mind though.

@annevk annevk mentioned this issue Sep 20, 2017
@jakearchibald
Copy link
Collaborator Author

I shared this issues with our security folks and we couldn't find any security issues with this.

@annevk annevk closed this as completed in 0bcd5df Sep 20, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security/privacy There are security or privacy implications topic: streams
Development

No branches or pull requests

4 participants