-
Notifications
You must be signed in to change notification settings - Fork 342
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow range header to be set by APIs #560
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Couple nits. I'll have more time to study the impact next week. The idea is that media APIs will set this flag?
@@ -4219,9 +4251,6 @@ objects.</span> | |||
"<code>response</code>" or | |||
"<code>none</code>". | |||
|
|||
<p class="note no-backref">"<code>immutable</code>" exists for service workers. | |||
[[!SW]] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Was this intentional?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, "immutable" is also used for fetch()
responses. I could add the comment back and include the other places "immutable" is used.
fetch.bs
Outdated
@@ -4240,6 +4269,17 @@ objects.</span> | |||
"<code>request</code>" and <var>name</var> is a <a>forbidden header name</a>, | |||
return. | |||
|
|||
<li><p>Otherwise, if <a for=Headers>guard</a> is "<code>request-no-cors</code>" and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Newline after <li>
as it contains multiple children.
fetch.bs
Outdated
@@ -4839,14 +4892,17 @@ constructor must run these steps: | |||
|
|||
<li><p>Set <var>request</var>'s |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Newline due to multiple children again.
fetch.bs
Outdated
@@ -4839,14 +4892,17 @@ constructor must run these steps: | |||
|
|||
<li><p>Set <var>request</var>'s | |||
<a for=request>referrer policy</a> to the empty string. | |||
<p class=note>This is done to ensure that when a service worker "redirects" a request, .e.g., |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No dot before e.g.
And downloads, yeah. I'm not quite sure how to spec that bit yet, I guess there'll be a section like "this API may issue range requests. To fetch a range, run the following steps…" Those steps will detail how to handle ranges that don't match what was requested, and ensuring all parts come from the same source if any opaque response is involved. Also how to handle an HTTP 200 response. For downloads I want to ensure that browsers restart the download if the length, etag or last-modified has changed. Firefox is the only browser doing a decent job here, the others happy merge the chunks together even though the content has changed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've looked over the changes and it seems to make sense to me. @annevk, any parts in particular you were looking for feedback on?
@foolip mostly if these changes are compatible with eventual changes for the media API in HTML. |
@jakearchibald I guess we can't really test this change without defining some of the other parts? I wonder if we just want to land this (assuming it's editorially okay) and test later or wait until we have defined some of the integration bits. |
@annevk I can write tests for the cases that must produce a network error. Eg returning a ranged response to a request that didn't have a range header. Aside from that, given that the intent is to prevent script-created no-cors requests with range headers, it might not be possible to automate the tests. Seeking an audio element should produce enough range requests for testing, but the browser doesn't have to make range requests to be spec-compliant. What's best for me to do next? Make a couple of tests for this PR, or start on the HTML changes? |
@jakearchibald if you're okay with doing HTML first before landing this I think that'd be ideal. HTML will require tests as well so you could also start there. I don't really have advice how to handle the case where a UA would opt not do range requests. Maybe we can make that non-conforming? Not sure there's a good reason for that. |
Probably. I think the non-obvious things that need to work for media elements are:
|
Media fragments |
@foolip cheers – that matches my mental model too. |
It does, but the requests should look roughly the same as when you do this: var audio = new Audio("/path/to/media")
audio.currentTime = 30;
audio.play();
audio.ontimeupdate = function() {
if (audio.currentTime >= 60)
audio.pause();
} That's actually fairly close to how this is implemented. The media fragment is handled in the media element code, not at any lower level. If you want the server to do some of the work in slicing out 30-60 seconds, then https://www.w3.org/TR/media-frags/#URIquery-media-fragments might be what you're looking for, but that then requires a clever server to interpret "/path/to/media?t=30,60". |
@guest271314 it's a little bit unclear how your feedback thus far relates to this PR. I'd appreciate it if you put it someplace else. This is really only meant for review of the proposed changes. |
It seems like browsers will allow a 206 partial response to a The current behaviour seems weird to me. The level of risk is unclear, but if a server could be tricked into thinking your request is a range request (via query string params), and produces a partial response, it could result in data leaking. With a service worker involved, it means you could take an opaque partial response (from a request generated by a media element) and use it in response to a script fetch. Again, there's a potential for data leak. Should I try to find a way to preserve browser behaviour here, or go ahead and change it? |
A server that generates a 206 based upon query parameters is clearly broken and intentionally so; I'd suggest trying to prevent brokenness in that case is a lost cause. OTOH, a 206 response clearly has an application-visible semantic, as NOT being the whole response. AFAIK there isn't any existing markup that allows a Relevant spec seems to be here: ... around step 21, which does not appear to talk about success or completeness of the result of fetching. |
@mnot This PR says the fetch must fail if the request does not have a |
Chrome's security team would prefer 206s to fail if a range wasn't requested. However, @ericlaw1979 says there are servers that do this, but the range covers the whole resource https://fiddler.ideas.aha.io/ideas/FID-I-191. It'd be pretty easy to work around that case in the spec. |
@jakearchibald ah, sorry, I didn't realise this was a PR :) That's fine by me, with one caveat; it's also legal to send a 206 in response to a request with |
@mnot oh wow, I totally forgot about |
Aren't we still okay here? "A client MUST NOT generate an If-Range header field in a request that does not contain a Range header field. A server MUST ignore an If-Range header field received in a request that does not contain a Range header field." |
@ericlaw correct! I thought that It would make sense for browsers to use |
I need to take #144 (comment) into account when I pick this up again. |
I'm a little concerned that this may not match the gecko implementation at all. Currently we add Range headers at the http cache level. We do this because we use the http cache to known whether we are resuming a previously seen resource or if the resource has changed. If the resource has changed we don't use a range request. @mcmanus Is my reading of range requests in gecko correct here? Are there other ways that we generate range requests? For example, do media channels do something different here compared to resuming a download? |
Oh, we do set it manually in other places: https://searchfox.org/mozilla-central/source/dom/html/HTMLMediaElement.cpp#1264 |
Re-reading this, I'm not happy with: const request = new Request(event.request);
request.headers.set('accept', 'foo'); Now the request has the range header from The range header will be ditched when it gets copied within |
(There appear to be some issues with the various servers involved in building, so it might not be properly published until tomorrow.) |
Whoop! Thanks for dragging me through this one. Maybe one day I'll get a PR through without 100 changes 😀 |
Nice to see this happening, this might be especially useful in WebKit context where audio/video relies a lot on range requests. |
@youennf could you file a new issue on that |
Filed #747 |
…rvice worker, a=testonly Automatic update from web-platform-testsAllow range headers to pass through a service worker (#10348) Tests for whatwg/fetch#560 -- wpt-commits: fb6d16d92af29262b6137b79e61f0c4b136c6ac1 wpt-pr: 10348
…rvice worker, a=testonly Automatic update from web-platform-testsAllow range headers to pass through a service worker (#10348) Tests for whatwg/fetch#560 -- wpt-commits: fb6d16d92af29262b6137b79e61f0c4b136c6ac1 wpt-pr: 10348
…rvice worker, a=testonly Automatic update from web-platform-testsAllow range headers to pass through a service worker (#10348) Tests for whatwg/fetch#560 -- wpt-commits: fb6d16d92af29262b6137b79e61f0c4b136c6ac1 wpt-pr: 10348 UltraBlame original commit: 8b458f3d30b63afa745527bc31744f4971749224
…rvice worker, a=testonly Automatic update from web-platform-testsAllow range headers to pass through a service worker (#10348) Tests for whatwg/fetch#560 -- wpt-commits: fb6d16d92af29262b6137b79e61f0c4b136c6ac1 wpt-pr: 10348 UltraBlame original commit: 8b458f3d30b63afa745527bc31744f4971749224
…rvice worker, a=testonly Automatic update from web-platform-testsAllow range headers to pass through a service worker (#10348) Tests for whatwg/fetch#560 -- wpt-commits: fb6d16d92af29262b6137b79e61f0c4b136c6ac1 wpt-pr: 10348 UltraBlame original commit: 8b458f3d30b63afa745527bc31744f4971749224
This change implements the following edit to the Fetch spec: whatwg/fetch#560 Existing web tests cover the new functionality. Bug: 847428 Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124
This change implements the following edits to the Fetch spec: whatwg/fetch#560 whatwg/fetch#1076 Existing web tests cover the new functionality. Bug: 847428 Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124
This change implements the following edits to the Fetch spec: whatwg/fetch#560 whatwg/fetch#1076 Existing web tests cover the new functionality. Bug: 847428 Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124
This change implements the following edits to the Fetch spec: whatwg/fetch#560 whatwg/fetch#1076 Existing web tests cover the new functionality. Bug: 847428 Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124
This change implements the following edits to the Fetch spec: whatwg/fetch#560 whatwg/fetch#1076 Existing web tests cover the new functionality. Bug: 847428 Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124
This change implements the following edits to the Fetch spec: whatwg/fetch#560 whatwg/fetch#1076 Existing web tests cover the new functionality. Bug: 847428 Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124
This change implements the following edits to the Fetch spec: whatwg/fetch#560 whatwg/fetch#1076 Existing web tests cover the new functionality. Bug: 847428 Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124
This change implements the following edits to the Fetch spec: whatwg/fetch#560 whatwg/fetch#1076 Existing web tests cover the new functionality. Bug: 847428 Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2339761 Commit-Queue: Nicolas Arciniega <[email protected]> Reviewed-by: Kinuko Yasuda <[email protected]> Reviewed-by: Matt Falkenhagen <[email protected]> Reviewed-by: Ben Kelly <[email protected]> Reviewed-by: Yutaka Hirano <[email protected]> Reviewed-by: Makoto Shimazu <[email protected]> Cr-Commit-Position: refs/heads/master@{#800663}
This change implements the following edits to the Fetch spec: whatwg/fetch#560 whatwg/fetch#1076 Existing web tests cover the new functionality. Bug: 847428 Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2339761 Commit-Queue: Nicolas Arciniega <[email protected]> Reviewed-by: Kinuko Yasuda <[email protected]> Reviewed-by: Matt Falkenhagen <[email protected]> Reviewed-by: Ben Kelly <[email protected]> Reviewed-by: Yutaka Hirano <[email protected]> Reviewed-by: Makoto Shimazu <[email protected]> Cr-Commit-Position: refs/heads/master@{#800663}
This change implements the following edits to the Fetch spec: whatwg/fetch#560 whatwg/fetch#1076 Existing web tests cover the new functionality. Bug: 847428 Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2339761 Commit-Queue: Nicolas Arciniega <[email protected]> Reviewed-by: Kinuko Yasuda <[email protected]> Reviewed-by: Matt Falkenhagen <[email protected]> Reviewed-by: Ben Kelly <[email protected]> Reviewed-by: Yutaka Hirano <[email protected]> Reviewed-by: Makoto Shimazu <[email protected]> Cr-Commit-Position: refs/heads/master@{#800663} Co-authored-by: Nicolas Arciniega <[email protected]>
…ervice worker, a=testonly Automatic update from web-platform-tests Allow range requests to pass through a service worker (#25053) This change implements the following edits to the Fetch spec: whatwg/fetch#560 whatwg/fetch#1076 Existing web tests cover the new functionality. Bug: 847428 Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2339761 Commit-Queue: Nicolas Arciniega <[email protected]> Reviewed-by: Kinuko Yasuda <[email protected]> Reviewed-by: Matt Falkenhagen <[email protected]> Reviewed-by: Ben Kelly <[email protected]> Reviewed-by: Yutaka Hirano <[email protected]> Reviewed-by: Makoto Shimazu <[email protected]> Cr-Commit-Position: refs/heads/master@{#800663} Co-authored-by: Nicolas Arciniega <[email protected]> -- wpt-commits: 868ca3586f9dda74b2bb3b6f6dfb67a13e359090 wpt-pr: 25053
…ervice worker, a=testonly Automatic update from web-platform-tests Allow range requests to pass through a service worker (#25053) This change implements the following edits to the Fetch spec: whatwg/fetch#560 whatwg/fetch#1076 Existing web tests cover the new functionality. Bug: 847428 Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2339761 Commit-Queue: Nicolas Arciniega <[email protected]> Reviewed-by: Kinuko Yasuda <[email protected]> Reviewed-by: Matt Falkenhagen <[email protected]> Reviewed-by: Ben Kelly <[email protected]> Reviewed-by: Yutaka Hirano <[email protected]> Reviewed-by: Makoto Shimazu <[email protected]> Cr-Commit-Position: refs/heads/master@{#800663} Co-authored-by: Nicolas Arciniega <[email protected]> -- wpt-commits: 868ca3586f9dda74b2bb3b6f6dfb67a13e359090 wpt-pr: 25053
This change implements the following edits to the Fetch spec: whatwg/fetch#560 whatwg/fetch#1076 Existing web tests cover the new functionality. Bug: 847428 Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2339761 Commit-Queue: Nicolas Arciniega <[email protected]> Reviewed-by: Kinuko Yasuda <[email protected]> Reviewed-by: Matt Falkenhagen <[email protected]> Reviewed-by: Ben Kelly <[email protected]> Reviewed-by: Yutaka Hirano <[email protected]> Reviewed-by: Makoto Shimazu <[email protected]> Cr-Commit-Position: refs/heads/master@{#800663} GitOrigin-RevId: 5da0ed1e65305ab2c6d9de2bb4ce62f159520ba8
This is part of #144.
The aim is to allow APIs to use the range header for no-cors requests, and allow them to pass through a service worker, but disallow modification of these requests, and disallow developers creating their own no-cors ranged requests.
Preview | Diff