A user account is required in order to edit this wiki, but we've had to disable public user registrations due to spam.

To request an account, ask an autoconfirmed user on Chat (such as one of these permanent autoconfirmed members).

Fetch: Difference between revisions

From WHATWG Wiki
Jump to navigation Jump to search
(add some stuff on the model)
(→‎Request: merge with HTML fetch a bit, add CORS-related requirements)
Line 12: Line 12:
=== Request ===
=== Request ===


* URL (as object)
* Parsed URL (object)
* method
* method (probably with restrictions as seen in XHR)
* UA headers
* UA headers
* author headers (maybe rename because people get upset with "author")
* author headers (maybe rename because people get upset with "author", with implicit restrictions as seen in XHR / CORS)
* entity body
* entity body
* origin
* origin (object)
* referrer source (Document / URL)
* manual redirect flag
* manual redirect flag
* omit credentials flag
* omit credentials flag (will replace HTML fetch block cookies flag but also has other features)
* force preflight flag (set for upload progress notifications (to not reveal existence of server in case of POST I suppose; I should know...))
* force preflight flag (set for upload progress notifications (to not reveal existence of server in case of POST I suppose; I should know...))
* synchronous flag
* force same-origin flag


XXX add CORS modes and whatever HTML fetch defines.
For http/https we need to allow these kind of CORS requests:
 
* No CORS, taint (<link>, <script>, ...); still need to allow the server to opt in to CORS anyway to effectively make the resource CORS same-origin even if not requested as such
* No CORS, fail (<track>)
* Anonymous
* Credentialed


=== Fetch ===
=== Fetch ===

Revision as of 12:09, 11 February 2013

Fetch is fetch.spec.whatwg.org and will define HTML fetch and CORS as a set of coherent algorithms rather than the intertwined mess we have now. It will also deal with the following:

  • Deal with authentication (URLs containing username/password, servers responding with 401)
  • Deal with URL processing
  • Define HTTP context for data: URLs, about:blank, and file: URLs.
  • Progress Events

Model

The basic model is Request -> Fetch -> Response.

Request

  • Parsed URL (object)
  • method (probably with restrictions as seen in XHR)
  • UA headers
  • author headers (maybe rename because people get upset with "author", with implicit restrictions as seen in XHR / CORS)
  • entity body
  • origin (object)
  • referrer source (Document / URL)
  • manual redirect flag
  • omit credentials flag (will replace HTML fetch block cookies flag but also has other features)
  • force preflight flag (set for upload progress notifications (to not reveal existence of server in case of POST I suppose; I should know...))
  • synchronous flag
  • force same-origin flag

For http/https we need to allow these kind of CORS requests:

  • No CORS, taint (<link>, <script>, ...); still need to allow the server to opt in to CORS anyway to effectively make the resource CORS same-origin even if not requested as such
  • No CORS, fail (<track>)
  • Anonymous
  • Credentialed

Fetch

Have a case-switch on URL scheme. See also URL. Fetch results in a network error response unless the scheme is one of

  • http
  • https
  • ftp
  • file
  • about
  • data
  • blob

CORS stuff is only relevant for http/https. Can be relevant even for same-origin requests in case of cross-origin redirect without the manual redirect flag set.

XXX ...

Response

Both intermediate updates (progress, headers received, ...) and final. Also indicates network error / CORS error (exposed as network error), ...