orb icon indicating copy to clipboard operation
orb copied to clipboard

Published 20 hours ago verified publisher icon annevk

It is unclear if blocking no-cors is web-compatible

Open smaug---- opened this issue 1 year ago • 8 comments

Some background https://wpt.fyi/results/fetch/orb/tentative/known-mime-type.sub.any.html?label=master&label=experimental&aligned&view=subtest&q=fetch%2F

Soon after orb was enabled on early Firefox beta we got https://bugzilla.mozilla.org/show_bug.cgi?id=1823877 https://bugzilla.mozilla.org/show_bug.cgi?id=1823864

It is unclear though if any site is really broken.

@domenic do you know if Google has data about cross-origin no-cors usage?

smaug---- avatar Mar 23 '23 13:03 smaug----

I don't, but I'll try asking the teams working on ORB to comment.

domenic avatar Mar 24 '23 02:03 domenic

@otherdaniel can almost certainly help here.

mikewest avatar Mar 24 '23 08:03 mikewest

I don't have specific numbers on 'no-cors' usage, unfortunately.

Generally, ORB is surely a compatibilty risk, and we've had to rollback our initial attempts due to site breakage. (E.g. crbug.com/1359788) Our approach is to gradually increase our coverage of the proposal until we cover the whole functionality. The example in your bug reports wouldn't block in our current implementation, because so far we still inject empty responses and we don't implement the JS sniffing step.

[Edit: See comment below. The referenced bug isn't an ORB thing.]

otherdaniel avatar Mar 24 '23 12:03 otherdaniel

@otherdaniel that breakage is due to CORB, not ORB, though. Only CORB attempts to sniff for HTML and therefore misidentifies the SVG.

annevk avatar Mar 24 '23 12:03 annevk

In https://bugzilla.mozilla.org/show_bug.cgi?id=1823877 we're trying to make sure that filtered responses are filtered in such a way that we don't leak the filtered data. With ORB and Window.fetch+no-cors we have to do this anyway. I guess that ideally ORB would want to block all Window.fetch+no-cors? With the reasoning that a filtered response is almost indistinguishable from a NetworkError. I get that that would be hard right now, but that should be the end-game, right?

farre avatar Mar 24 '23 14:03 farre

Ideally all "no-cors" would result in a network error, yes.

For fetch(), opaque responses can be stored (any context) and replayed (with a service worker) and when that is done for <img> the current setup ensures that continues to work.

annevk avatar Mar 24 '23 15:03 annevk

FetchEvent.respondWith's behavior for "no-cors" then becomes a thing to discuss I guess. In the ideal case I mean, since that is specified to have the behavior for "no-cors" fetches pre-ORB. Would we expect that to throw as well?

farre avatar Mar 29 '23 09:03 farre

To be clear, my ideal above would also make <img> not work (as it does "no-cors" requests by default), so it's rather theoretical.

I would expect respondWith() to continue to work for "no-cors" things that do not get network error'ed by the ORB filter.

annevk avatar Mar 29 '23 11:03 annevk