Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

should sec-ch-ua headers be visible in FetchEvent.request.headers #1525

Open
wanderview opened this issue Jul 30, 2020 · 8 comments
Open

should sec-ch-ua headers be visible in FetchEvent.request.headers #1525

wanderview opened this issue Jul 30, 2020 · 8 comments

Comments

@wanderview
Copy link
Member

Currently the spec requires that user-agent header be set after the service worker fetch handler, so the user-agent header is not visible on FetchEvent.request.

Client hints headers in general, however, are added prior to service worker processing:

https://wicg.github.io/client-hints-infrastructure/#fetch

This results in the new sec-ch-ua headers appearing on FetchEvent.request which seems inconsistent with not exposing user-agent.

What do folks think we should do here? Accept the difference between sec-ch-ua and user-agent? Align sec-ch-ua with current user-agent behavior?

@annevk @jakearchibald @youennf
@wanderview
Copy link
Member Author

This affects fetch-request-xhr.https.html WPT test.

@jakearchibald
Copy link
Contributor

Is the content of these headers defined anywhere? It isn't clear what they contain.

Is there a security reason to prevent them being visible in the service worker?

I think the user-agent header can already be overridden by script, whereas client hints cannot, as they start with sec-, although it looks like they may drop that requirement.

Do we know what behaviour they want?

@wanderview
Copy link
Member Author

@yoavweiss can hopefully answer that.

@yoavweiss
Copy link

Is the content of these headers defined anywhere? It isn't clear what they contain.

https://wicg.github.io/ua-client-hints/

Do we know what behaviour they want?

For other client hints (which may vary over time), it seems critical for the Service Worker to see the hints so that it can respond with the right variant.
For UA-CH specifically, I don't see any harm in exposing them, but there's also no huge benefit in doing that, other than simplifying the processing model and implementations.

@yoavweiss
Copy link

/cc @amtunlimited

@annevk
Copy link
Member

annevk commented Aug 4, 2020

There's a set of low-level problem with these headers that hasn't been resolved, e.g., whatwg/fetch#1000. There's also whatwg/fetch#726 from 2018 without many updates.

@jakearchibald
Copy link
Contributor

@annevk can you remember why the user agent header is added so late in fetch?

@annevk
Copy link
Member

annevk commented Aug 17, 2020

That's how implementations did it and I don't think we considered changing that when adding service workers.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jakearchibald @yoavweiss @wanderview @annevk