Enabling Client Hints forces image requests to be CORS preflighted requests
Reported by
mr.gerar...@gmail.com,
Apr 7 2018
|
|||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Steps to reproduce the problem: 1. Run a local server (or host files) 2. Load HTML page in Chrome and confirm SW is running 3. Refresh page to capture image requests via runtime caching, confirm image requests go from "simple" to "preflighted" CORS requests per errors in dev console What is the expected behavior? By adding Client Hints, the image requests should still be "simple" (non-preflighted) requests. What went wrong? By adding Client Hints, the image requests were preflighted CORS requests. Did this work before? N/A Does this work in other browsers? N/A Chrome version: 65.0.3325.181 Channel: stable OS Version: OS X 10.11.6 Flash Version: Looks like this discussion happened in the past and Client Hints should be treated as CORS simple headers: https://github.com/whatwg/fetch/commit/404dc3acfddb5e9870fdee333302f80ecff661dd Per: https://github.com/httpwg/http-extensions/issues/141 And earlier: https://github.com/igrigorik/http-client-hints/issues/68#issuecomment-163578440 But Chrome is still treating Client Hints as preflight.
,
Apr 7 2018
+Yoav, +Tarun: do either one of you guys have bandwidth to tackle this one?
,
Apr 7 2018
For some reason, the headers are not included here: https://cs.chromium.org/chromium/src/services/network/public/cpp/cors/cors.cc?rcl=758e3fd5b20e5eedea7268c28c6df8e85a482dc1&l=227
,
Apr 7 2018
,
Apr 7 2018
We should include all client hint headers as well in that list: https://cs.chromium.org/chromium/src/third_party/WebKit/common/client_hints/client_hints.cc?rcl=34478381b6adb0298c4103ea72e2c2b88aaa1502&l=11
,
Apr 7 2018
,
Apr 8 2018
tbansal@ - Thanks for taking ownership. I'm happy to help with reviews.
,
Apr 9 2018
Thinking about this some more, is this a current problem, now that https://bugs.chromium.org/p/chromium/issues/detail?id=816661 is fixed? It makes sense to add the headers to the safe list, but I think what the OP is currently experiencing as preflights will very soon be blocked entirely. (until a Feature Policy opt-in is landed)
,
Apr 10 2018
Re #8: You are right. Cross-origin client hints would be blocked entirely in M-67. Regardless, I am going to add the headers to the safe list to be spec compliant.
,
May 7 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/74e189d8d0717c2ce65a891e3fdc1a477c93c00c commit 74e189d8d0717c2ce65a891e3fdc1a477c93c00c Author: Tarun Bansal <tbansal@chromium.org> Date: Mon May 07 19:07:35 2018 Add client hints headers as CORS safe headers Client hints are device-specific and not origin specific. This brings Chromium to be spec-compliant. Bug: 830118 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_mojo Change-Id: I5a645c1d89fb7800168a2bdf571122f1dce01743 Reviewed-on: https://chromium-review.googlesource.com/1000879 Commit-Queue: Tarun Bansal <tbansal@chromium.org> Reviewed-by: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Cr-Commit-Position: refs/heads/master@{#556518} [modify] https://crrev.com/74e189d8d0717c2ce65a891e3fdc1a477c93c00c/chrome/browser/client_hints/client_hints_browsertest.cc [modify] https://crrev.com/74e189d8d0717c2ce65a891e3fdc1a477c93c00c/services/network/public/cpp/cors/cors.cc [modify] https://crrev.com/74e189d8d0717c2ce65a891e3fdc1a477c93c00c/services/network/public/cpp/cors/cors_unittest.cc [add] https://crrev.com/74e189d8d0717c2ce65a891e3fdc1a477c93c00c/third_party/WebKit/LayoutTests/external/wpt/cors/client-hint-request-headers.htm [modify] https://crrev.com/74e189d8d0717c2ce65a891e3fdc1a477c93c00c/third_party/WebKit/LayoutTests/external/wpt/cors/simple-requests.htm [modify] https://crrev.com/74e189d8d0717c2ce65a891e3fdc1a477c93c00c/third_party/blink/public/platform/web_client_hints_types.mojom
,
May 7 2018
|
|||||||||||
►
Sign in to add a comment |
|||||||||||
Comment 1 by mr.gerar...@gmail.com
, Apr 7 2018