Anne van Kesteren
Anne van Kesteren
As discussed in https://github.com/tc39/proposal-import-assertions/pull/111. (And prolly assertions in general would be good.)
As discussed in https://github.com/whatwg/html/issues/6468 we need to make adjustments to handle HTTP Live Streaming correctly.
We might not always have an encoding, e.g., `fetch(..., { mode: "no-cors" })`. Is it reasonable to always use UTF-8 for this check?
@tomrittervg inspired me to revisit https://github.com/whatwg/fetch/issues/964 which is the main reason we have this step currently: > If _mimeType_ is failure, then return true. At this point in the algorithm...
Reading @anforowicz's [Gradual CORB -> ORB transition](https://docs.google.com/document/d/1qUbE2ySi6av3arUEw5DNdFJIKKBbWGRGsXz_ew3S7HQ/edit) it occurred to me there's another way we attempt to avoid hitting the expensive option. By checking if the file starts with `%PDF-`...
We based what `fetch()` with no-cors can do upon CORS, but while that makes sense for requests, it doesn't make a whole lot of sense for responses now that opaque...
In particular, we could require an ok status as well and network error otherwise as the attacker process will do the same. It's not clear how often this would prevent...
@lukewagner has been asking me about this idea several times and what he'd mostly like to see is synchronous I/O in workers, to be able to emulate POSIX and get...
I'd love to see this be as deterministic as our text encoding setup, even if it needs to evolve over time somehow.
It seems that https://github.com/WebAssembly/content-security-policy/blob/main/proposals/CSP.md hasn't been integrated here yet, but https://w3c.github.io/webappsec-csp/#can-compile-wasm-bytes does exist. @antosart @fgmccabe