Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow range header to be set by APIs #560

Merged
merged 2 commits into from
May 29, 2018
Merged

Allow range header to be set by APIs #560

merged 2 commits into from
May 29, 2018

Conversation

jakearchibald
Copy link
Collaborator

@jakearchibald jakearchibald commented Jun 29, 2017

This is part of #144.

The aim is to allow APIs to use the range header for no-cors requests, and allow them to pass through a service worker, but disallow modification of these requests, and disallow developers creating their own no-cors ranged requests.


Preview | Diff

@jakearchibald jakearchibald requested a review from annevk June 29, 2017 16:27
Copy link
Member

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple nits. I'll have more time to study the impact next week. The idea is that media APIs will set this flag?

@@ -4219,9 +4251,6 @@ objects.</span>
"<code>response</code>" or
"<code>none</code>".

<p class="note no-backref">"<code>immutable</code>" exists for service workers.
[[!SW]]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Was this intentional?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, "immutable" is also used for fetch() responses. I could add the comment back and include the other places "immutable" is used.

fetch.bs Outdated
@@ -4240,6 +4269,17 @@ objects.</span>
"<code>request</code>" and <var>name</var> is a <a>forbidden header name</a>,
return.

<li><p>Otherwise, if <a for=Headers>guard</a> is "<code>request-no-cors</code>" and
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Newline after <li> as it contains multiple children.

fetch.bs Outdated
@@ -4839,14 +4892,17 @@ constructor must run these steps:

<li><p>Set <var>request</var>'s
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Newline due to multiple children again.

fetch.bs Outdated
@@ -4839,14 +4892,17 @@ constructor must run these steps:

<li><p>Set <var>request</var>'s
<a for=request>referrer policy</a> to the empty string.
<p class=note>This is done to ensure that when a service worker "redirects" a request, .e.g.,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No dot before e.g.

@jakearchibald
Copy link
Collaborator Author

The idea is that media APIs will set this flag?

And downloads, yeah.

I'm not quite sure how to spec that bit yet, I guess there'll be a section like "this API may issue range requests. To fetch a range, run the following steps…"

Those steps will detail how to handle ranges that don't match what was requested, and ensuring all parts come from the same source if any opaque response is involved. Also how to handle an HTTP 200 response.

For downloads I want to ensure that browsers restart the download if the length, etag or last-modified has changed. Firefox is the only browser doing a decent job here, the others happy merge the chunks together even though the content has changed.

@annevk annevk requested a review from foolip June 30, 2017 17:30
Copy link
Member

@foolip foolip left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've looked over the changes and it seems to make sense to me. @annevk, any parts in particular you were looking for feedback on?

@annevk
Copy link
Member

annevk commented Jul 4, 2017

@foolip mostly if these changes are compatible with eventual changes for the media API in HTML.

@annevk
Copy link
Member

annevk commented Jul 4, 2017

@jakearchibald I guess we can't really test this change without defining some of the other parts? I wonder if we just want to land this (assuming it's editorially okay) and test later or wait until we have defined some of the integration bits.

@jakearchibald
Copy link
Collaborator Author

@annevk I can write tests for the cases that must produce a network error. Eg returning a ranged response to a request that didn't have a range header.

Aside from that, given that the intent is to prevent script-created no-cors requests with range headers, it might not be possible to automate the tests. Seeking an audio element should produce enough range requests for testing, but the browser doesn't have to make range requests to be spec-compliant.

What's best for me to do next? Make a couple of tests for this PR, or start on the HTML changes?

@annevk
Copy link
Member

annevk commented Jul 4, 2017

@jakearchibald if you're okay with doing HTML first before landing this I think that'd be ideal. HTML will require tests as well so you could also start there. I don't really have advice how to handle the case where a UA would opt not do range requests. Maybe we can make that non-conforming? Not sure there's a good reason for that.

@foolip
Copy link
Member

foolip commented Jul 4, 2017

@foolip mostly if these changes are compatible with eventual changes for the media API in HTML.

Probably. I think the non-obvious things that need to work for media elements are:

  • Requesting the range 0- must be possible.
  • If the response to that is 200, that's not an error, but it is a piece of information that's needed to avoid interrupting the fetch later, as resuming is impossible.
  • If more data than requested is returned, that's probably OK, as long as it starts at the right place.
  • Cache behavior is strange and probably inconsistent. At the very least, with no cache-related headers, I think implementations assume it is unchanging as long as the resource size doesn't change, or perhaps even a growing resource is OK. Needs testing.

@foolip
Copy link
Member

foolip commented Jul 5, 2017

Media fragments #t=30,60 as actually implemented doesn't actually interact with the fetch layer at all. Rather, you just try to load the file and then seek to time offset 30. In other words, there's no existing behavior beyond byte range requests that fetch needs to explain. (Disclaimer: I haven't read the whole discussion.)

@jakearchibald
Copy link
Collaborator Author

jakearchibald commented Jul 5, 2017

@foolip cheers – that matches my mental model too.

@foolip
Copy link
Member

foolip commented Jul 6, 2017

new Audio("/path/to/media#t=30,60") makes range request, yes?

It does, but the requests should look roughly the same as when you do this:

var audio = new Audio("/path/to/media")
audio.currentTime = 30;
audio.play();
audio.ontimeupdate = function() {
  if (audio.currentTime >= 60)
    audio.pause();
}

That's actually fairly close to how this is implemented. The media fragment is handled in the media element code, not at any lower level.

If you want the server to do some of the work in slicing out 30-60 seconds, then https://www.w3.org/TR/media-frags/#URIquery-media-fragments might be what you're looking for, but that then requires a clever server to interpret "/path/to/media?t=30,60".

@annevk
Copy link
Member

annevk commented Jul 6, 2017

@guest271314 it's a little bit unclear how your feedback thus far relates to this PR. I'd appreciate it if you put it someplace else. This is really only meant for review of the proposed changes.

@jakearchibald
Copy link
Collaborator Author

It seems like browsers will allow a 206 partial response to a <script src>. As in, it will execute the script, which this PR would prevent.

The current behaviour seems weird to me. The level of risk is unclear, but if a server could be tricked into thinking your request is a range request (via query string params), and produces a partial response, it could result in data leaking.

With a service worker involved, it means you could take an opaque partial response (from a request generated by a media element) and use it in response to a script fetch. Again, there's a potential for data leak.

Should I try to find a way to preserve browser behaviour here, or go ahead and change it?

@mnot
Copy link
Member

mnot commented Jul 12, 2017

A server that generates a 206 based upon query parameters is clearly broken and intentionally so; I'd suggest trying to prevent brokenness in that case is a lost cause.

OTOH, a 206 response clearly has an application-visible semantic, as NOT being the whole response.

AFAIK there isn't any existing markup that allows a <script> to specify a range. That says to me that it should specify that a partial response shouldn't be processed.

Relevant spec seems to be here:
https://html.spec.whatwg.org/#prepare-a-script

... around step 21, which does not appear to talk about success or completeness of the result of fetching.

@annevk?

@jakearchibald
Copy link
Collaborator Author

@mnot This PR says the fetch must fail if the request does not have a Range header, and the response is 206 partial. Are you saying you disagree with that?

@jakearchibald
Copy link
Collaborator Author

Chrome's security team would prefer 206s to fail if a range wasn't requested. However, @ericlaw1979 says there are servers that do this, but the range covers the whole resource https://fiddler.ideas.aha.io/ideas/FID-I-191.

It'd be pretty easy to work around that case in the spec.

@mnot
Copy link
Member

mnot commented Jul 14, 2017

@jakearchibald ah, sorry, I didn't realise this was a PR :)

That's fine by me, with one caveat; it's also legal to send a 206 in response to a request with If-Range.

@jakearchibald
Copy link
Collaborator Author

@mnot oh wow, I totally forgot about If-Range. Thank you! I've never seen a browser make an If-Range request, are you aware of any cases where they do?

@ericlaw
Copy link

ericlaw commented Jul 14, 2017

Aren't we still okay here? "A client MUST NOT generate an If-Range header field in a request that does not contain a Range header field. A server MUST ignore an If-Range header field received in a request that does not contain a Range header field."

@jakearchibald
Copy link
Collaborator Author

@ericlaw correct! I thought that If-Range was an alternative to Range, but as you say, it isn't, so we're fine.

It would make sense for browsers to use If-Range when resuming downloads, but none do.

@jakearchibald
Copy link
Collaborator Author

I need to take #144 (comment) into account when I pick this up again.

@wanderview
Copy link
Member

I'm a little concerned that this may not match the gecko implementation at all. Currently we add Range headers at the http cache level. We do this because we use the http cache to known whether we are resuming a previously seen resource or if the resource has changed. If the resource has changed we don't use a range request.

@mcmanus Is my reading of range requests in gecko correct here? Are there other ways that we generate range requests? For example, do media channels do something different here compared to resuming a download?

@wanderview
Copy link
Member

Oh, we do set it manually in other places:

https://searchfox.org/mozilla-central/source/dom/html/HTMLMediaElement.cpp#1264

@jakearchibald
Copy link
Collaborator Author

Re-reading this, I'm not happy with:

const request = new Request(event.request);
request.headers.set('accept', 'foo');

Now the request has the range header from event.request, and the modified accept header.

The range header will be ditched when it gets copied within fetch(), but it feels like privileged headers should be removed if the headers are tampered with, and the guard is "request-no-cors".

jgraham pushed a commit to web-platform-tests/wpt that referenced this pull request May 29, 2018
@annevk
Copy link
Member

annevk commented May 29, 2018

(There appear to be some issues with the various servers involved in building, so it might not be properly published until tomorrow.)

@jakearchibald
Copy link
Collaborator Author

Whoop! Thanks for dragging me through this one. Maybe one day I'll get a PR through without 100 changes 😀

@youennf
Copy link
Collaborator

youennf commented May 29, 2018

Nice to see this happening, this might be especially useful in WebKit context where audio/video relies a lot on range requests.
Based on https://bugs.webkit.org/show_bug.cgi?id=184447, it seems that some servers might require 'Accept-Encoding : identity' to serve range responses from range requests.
I don't know how much this is a bug that servers should fix and how much this can impact deployment of this feature.

@annevk
Copy link
Member

annevk commented May 29, 2018

@youennf could you file a new issue on that Accept-Encoding thing? Seems like something we should research further.

@youennf
Copy link
Collaborator

youennf commented May 29, 2018

Filed #747

moz-v2v-gh pushed a commit to mozilla/gecko-dev that referenced this pull request Jun 10, 2018
…rvice worker, a=testonly

Automatic update from web-platform-testsAllow range headers to pass through a service worker (#10348)

Tests for whatwg/fetch#560

--

wpt-commits: fb6d16d92af29262b6137b79e61f0c4b136c6ac1
wpt-pr: 10348
xeonchen pushed a commit to xeonchen/gecko-cinnabar that referenced this pull request Jun 12, 2018
…rvice worker, a=testonly

Automatic update from web-platform-testsAllow range headers to pass through a service worker (#10348)

Tests for whatwg/fetch#560

--

wpt-commits: fb6d16d92af29262b6137b79e61f0c4b136c6ac1
wpt-pr: 10348
alice pushed a commit to alice/html that referenced this pull request Jan 8, 2019
gecko-dev-updater pushed a commit to marco-c/gecko-dev-comments-removed that referenced this pull request Oct 3, 2019
…rvice worker, a=testonly

Automatic update from web-platform-testsAllow range headers to pass through a service worker (#10348)

Tests for whatwg/fetch#560

--

wpt-commits: fb6d16d92af29262b6137b79e61f0c4b136c6ac1
wpt-pr: 10348

UltraBlame original commit: 8b458f3d30b63afa745527bc31744f4971749224
gecko-dev-updater pushed a commit to marco-c/gecko-dev-wordified that referenced this pull request Oct 3, 2019
…rvice worker, a=testonly

Automatic update from web-platform-testsAllow range headers to pass through a service worker (#10348)

Tests for whatwg/fetch#560

--

wpt-commits: fb6d16d92af29262b6137b79e61f0c4b136c6ac1
wpt-pr: 10348

UltraBlame original commit: 8b458f3d30b63afa745527bc31744f4971749224
gecko-dev-updater pushed a commit to marco-c/gecko-dev-wordified-and-comments-removed that referenced this pull request Oct 3, 2019
…rvice worker, a=testonly

Automatic update from web-platform-testsAllow range headers to pass through a service worker (#10348)

Tests for whatwg/fetch#560

--

wpt-commits: fb6d16d92af29262b6137b79e61f0c4b136c6ac1
wpt-pr: 10348

UltraBlame original commit: 8b458f3d30b63afa745527bc31744f4971749224
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this pull request Aug 17, 2020
This change implements the following edit to the Fetch spec:
whatwg/fetch#560

Existing web tests cover the new functionality.

Bug: 847428
Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124
annevk pushed a commit that referenced this pull request Aug 18, 2020
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this pull request Aug 18, 2020
This change implements the following edits to the Fetch spec:
whatwg/fetch#560
whatwg/fetch#1076

Existing web tests cover the new functionality.

Bug: 847428
Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this pull request Aug 18, 2020
This change implements the following edits to the Fetch spec:
whatwg/fetch#560
whatwg/fetch#1076

Existing web tests cover the new functionality.

Bug: 847428
Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this pull request Aug 19, 2020
This change implements the following edits to the Fetch spec:
whatwg/fetch#560
whatwg/fetch#1076

Existing web tests cover the new functionality.

Bug: 847428
Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this pull request Aug 20, 2020
This change implements the following edits to the Fetch spec:
whatwg/fetch#560
whatwg/fetch#1076

Existing web tests cover the new functionality.

Bug: 847428
Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this pull request Aug 20, 2020
This change implements the following edits to the Fetch spec:
whatwg/fetch#560
whatwg/fetch#1076

Existing web tests cover the new functionality.

Bug: 847428
Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this pull request Aug 21, 2020
This change implements the following edits to the Fetch spec:
whatwg/fetch#560
whatwg/fetch#1076

Existing web tests cover the new functionality.

Bug: 847428
Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this pull request Aug 21, 2020
This change implements the following edits to the Fetch spec:
whatwg/fetch#560
whatwg/fetch#1076

Existing web tests cover the new functionality.

Bug: 847428
Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2339761
Commit-Queue: Nicolas Arciniega <[email protected]>
Reviewed-by: Kinuko Yasuda <[email protected]>
Reviewed-by: Matt Falkenhagen <[email protected]>
Reviewed-by: Ben Kelly <[email protected]>
Reviewed-by: Yutaka Hirano <[email protected]>
Reviewed-by: Makoto Shimazu <[email protected]>
Cr-Commit-Position: refs/heads/master@{#800663}
pull bot pushed a commit to Alan-love/chromium that referenced this pull request Aug 21, 2020
This change implements the following edits to the Fetch spec:
whatwg/fetch#560
whatwg/fetch#1076

Existing web tests cover the new functionality.

Bug: 847428
Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2339761
Commit-Queue: Nicolas Arciniega <[email protected]>
Reviewed-by: Kinuko Yasuda <[email protected]>
Reviewed-by: Matt Falkenhagen <[email protected]>
Reviewed-by: Ben Kelly <[email protected]>
Reviewed-by: Yutaka Hirano <[email protected]>
Reviewed-by: Makoto Shimazu <[email protected]>
Cr-Commit-Position: refs/heads/master@{#800663}
stephenmcgruer pushed a commit to web-platform-tests/wpt that referenced this pull request Aug 22, 2020
This change implements the following edits to the Fetch spec:
whatwg/fetch#560
whatwg/fetch#1076

Existing web tests cover the new functionality.

Bug: 847428
Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2339761
Commit-Queue: Nicolas Arciniega <[email protected]>
Reviewed-by: Kinuko Yasuda <[email protected]>
Reviewed-by: Matt Falkenhagen <[email protected]>
Reviewed-by: Ben Kelly <[email protected]>
Reviewed-by: Yutaka Hirano <[email protected]>
Reviewed-by: Makoto Shimazu <[email protected]>
Cr-Commit-Position: refs/heads/master@{#800663}

Co-authored-by: Nicolas Arciniega <[email protected]>
moz-v2v-gh pushed a commit to mozilla/gecko-dev that referenced this pull request Aug 27, 2020
…ervice worker, a=testonly

Automatic update from web-platform-tests
Allow range requests to pass through a service worker (#25053)

This change implements the following edits to the Fetch spec:
whatwg/fetch#560
whatwg/fetch#1076

Existing web tests cover the new functionality.

Bug: 847428
Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2339761
Commit-Queue: Nicolas Arciniega <[email protected]>
Reviewed-by: Kinuko Yasuda <[email protected]>
Reviewed-by: Matt Falkenhagen <[email protected]>
Reviewed-by: Ben Kelly <[email protected]>
Reviewed-by: Yutaka Hirano <[email protected]>
Reviewed-by: Makoto Shimazu <[email protected]>
Cr-Commit-Position: refs/heads/master@{#800663}

Co-authored-by: Nicolas Arciniega <[email protected]>
--

wpt-commits: 868ca3586f9dda74b2bb3b6f6dfb67a13e359090
wpt-pr: 25053
ambroff pushed a commit to ambroff/gecko that referenced this pull request Nov 4, 2020
…ervice worker, a=testonly

Automatic update from web-platform-tests
Allow range requests to pass through a service worker (#25053)

This change implements the following edits to the Fetch spec:
whatwg/fetch#560
whatwg/fetch#1076

Existing web tests cover the new functionality.

Bug: 847428
Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2339761
Commit-Queue: Nicolas Arciniega <[email protected]>
Reviewed-by: Kinuko Yasuda <[email protected]>
Reviewed-by: Matt Falkenhagen <[email protected]>
Reviewed-by: Ben Kelly <[email protected]>
Reviewed-by: Yutaka Hirano <[email protected]>
Reviewed-by: Makoto Shimazu <[email protected]>
Cr-Commit-Position: refs/heads/master@{#800663}

Co-authored-by: Nicolas Arciniega <[email protected]>
--

wpt-commits: 868ca3586f9dda74b2bb3b6f6dfb67a13e359090
wpt-pr: 25053
mjfroman pushed a commit to mjfroman/moz-libwebrtc-third-party that referenced this pull request Oct 14, 2022
This change implements the following edits to the Fetch spec:
whatwg/fetch#560
whatwg/fetch#1076

Existing web tests cover the new functionality.

Bug: 847428
Change-Id: Ie63704769e99d4b8d26d8903edf4cc4e3466c124
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2339761
Commit-Queue: Nicolas Arciniega <[email protected]>
Reviewed-by: Kinuko Yasuda <[email protected]>
Reviewed-by: Matt Falkenhagen <[email protected]>
Reviewed-by: Ben Kelly <[email protected]>
Reviewed-by: Yutaka Hirano <[email protected]>
Reviewed-by: Makoto Shimazu <[email protected]>
Cr-Commit-Position: refs/heads/master@{#800663}
GitOrigin-RevId: 5da0ed1e65305ab2c6d9de2bb4ce62f159520ba8
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

7 participants