Description
WebKittens
Title of the proposal
CORS readability for no-cors requests
URL to the spec
URL to the spec's repository
https://github.com/whatwg/html/
Issue Tracker URL
No response
Explainer URL
No response
TAG Design Review URL
No response
Mozilla standards-positions issue URL
mozilla/standards-positions#1240
WebKit Bugzilla URL
No response
Radar URL
No response
Description
We are exploring a mechanism for servers to assert public readability for no-cors requests. The concrete use cases are for enabling features for resources that are effectively "public". Specifically:
- Compression dictionary content-encoding
- Resource timing headers (like content-encoding) that are gated by readability
For widely-used third-party embeds (analytics, social media, video players, etc) where sites have used a <script> tag to use the third-party resource or images loaded by CSS, it would be useful if there were a way for the origin to assert that a response should be readable independent of how it was fetched (i.e. it would send the same response to anonymous or credentialed requests).
Sites could change the script tags to explicitly opt-in to CORS with a crossorigin attribute but there are adoption problems with making that happen at scale and there are performance concerns with either a preflight check requirement or using a dedicated uncredentialed connection (and there is no way to opt-in to CORS from CSS images).
To minimize the risk of accidental exposure of private responses, we're proposing a new header and requiring ACAO *. Both response headers must be present for a response to be readable and in the case of a redirect, every response in the redirect path needs to also include the headers (or be readable by virtue of being same-site).
Content-Readability: public
Access-Control-Allow-Origin: *
To facilitate negotiation, particularly for the dictionary use case where an unreadable response would be a broken response, we're also proposing that no-cors requests from clients that support explicit readability send a new request header:
Sec-Accept-Content-Readability: public