-
Notifications
You must be signed in to change notification settings - Fork 342
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add range
to CORS-safelisted request-headers
#1310
Comments
I guess we should also check that the start position is less or equal to the end position |
I strongly support this. This would immediately enable background fetch of streaming media (which frequently uses range headers) without preflight. |
The problem with allowing more headers is that we get closer to server limits which in turn might result in certain security issues. See the recent discussion in w3c/webappsec-cspee#22. We still have room in that the total header value cap for CORS is a 1024, but in practice only 128 is allowed for each of the four headers, but it does make me nervous. The other question of course is whether 128 is sufficient for |
Assuming you use both start and end values, that leaves 57 bytes for each length (assuming the worst case where they're the same size). That's up to 999,999,999,999,999,999,999,999,999,999,999 yottabytes. Surely Enough For Anyone™! |
Challenge accepted! 😁 |
I tripped over this just recently in attempting to use https://github.com/phiresky/sql.js-httpvfs, which makes use of range requests - I checked that the place I was It seems silly that I could request the entire resource but not a portion of it. |
@jakearchibald that's allowing for only one |
@mnot yep, which is all browsers ever do as far as I can tell. My intent here is to allow range headers that match |
The allowed format aligns with the values the browser uses when requesting media and resuming downloads. Tests: web-platform-tests/wpt#31058. Fixes #1310.
I tried this code in both Chrome and Safari, but it doesn't seem to work: fetch('https://pscrb.fm/rss/p/media.transistor.fm/db73bbc2/d569819b.mp3', {
mode: 'no-cors',
headers: {
Range: 'bytes=0-10240'
}
}) When I check the Network tab in DevTools, the request headers don't show the Range header. I'm not sure if I'm misunderstanding something. I tried removing |
Updates to the spec are not immediately reflected in browser implementations... but nearly 2 years seems like a reasonable amount of time for adoption. Does anyone know if this was ever implemented? Was this added to Web Platform Tests? |
I guess this is the test? web-platform-tests/wpt#31058 |
That should be enough to at least raise a flag with UA implementors, who should be running these tests regularly. |
I'm pinging people I know in Chrome to see if I can track down the implementation status. |
Appears to be implemented in Chrome and passing WPT. |
Can anyone else reproduce this issue, or is it just me? Or am I using it wrong? 😂 |
I just tried your snippet, and I think there is indeed something wrong. The Range header is not sent at all with However, you should also know that your chosen URL does an HTTP 302 redirect, but browsers don't transfer That said, I can reproduce your issue with other URLs that don't redirect. For example: // Works
fetch('https://ajax.googleapis.com/ajax/libs/shaka-player/4.3.8/shaka-player.compiled.js', {
headers: {
Range: 'bytes=0-10240'
}
}) // Ignores Range header
fetch('https://ajax.googleapis.com/ajax/libs/shaka-player/4.3.8/shaka-player.compiled.js', {
mode: 'no-cors',
headers: {
Range: 'bytes=0-10240'
}
}) I'm no expert, but this certainly breaks my expectations. |
I recommend you file a Chrome bug at crbug.com, and link to it here so we can follow along. I'll help you route it to the right people within Chrome. |
Thanks @joeyparrish ! |
No, you cannot use |
Thanks @annevk ! So, CORS-safelisted request headers just mean that these headers don't need a preflight request? In the MDN Web Docs, there's this description:
It seems like this description misled me. Even though there's no specification allowing this, it's still a bit strange. If a request that doesn't require preflight is a simple request, and mode: no-cors requires the request to be a simple request, then by that logic, Range should be usable in no-cors requests, right? Even though a no-cors request must be a simple request, it doesn't mean that a simple request can definitely be a no-cors request. But this can indeed be misleading, especially when it's not mentioned in the documentation. |
Thank you and agreed. I filed mdn/content#35488. |
Thank you so much for your explanation! |
Filed #1767, because although this currently working is as spec'd, I believe |
We allow no-cors requests to have
Range
headers as long as it's set by an internal API, and the request is unmodified.It feels like CORS requests should be able to use
Range
in particular ways without triggering a preflight. If the format matches what https://fetch.spec.whatwg.org/#concept-request-add-range-header can create, that's ok right?The text was updated successfully, but these errors were encountered: