Skip to content

Introduce "override fetch". #1840

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Introduce "override fetch". #1840

wants to merge 3 commits into from

Conversation

mikewest
Copy link
Member

@mikewest mikewest commented Jul 9, 2025
edited by pr-preview bot
Loading

This change aims to explain how and when user agents intervene against requests in order to protect users. It introduces a few stage in Fetching, which gives user agents a clear hook after a set of prerequisite checks (MIX, CSP, etc.) are performed in Main Fetch.

This was originally proposed (and is explained in a bit more detail) in https://explainers-by-googlers.github.io/script-blocking/, and the hook's details and exact positioning were informed by the discussion in explainers-by-googlers/script-blocking#2.

  • At least two implementers are interested (and none opposed):

    • Multiple browsers ship this kind of behavior (whether in the form of Safe Browsing, tracking protection, etc). The brief discussion in Location of this check explainers-by-googlers/script-blocking#2 suggests that there's interest in standardizing the broad strokes of the behavior by providing this implementation-defined hook.

  • Tests are written and can be reviewed and commented upon at:

    • The exact set of resources against which user agents intervene is not (and likely cannot be) standardized. https://explainers-by-googlers.github.io/script-blocking/#testing suggests one approach to testing which might allow vendors to verify that their interventions are consistently positioned within Fetch, but that infrastructure hasn't yet been built or agreed-upon. If there's interest in doing so, I'll happily file an issue against web-platform-tests/rfcs to discuss.

  • Implementation bugs are filed:

    • As above, all browsers currently ship something like this. In my (limited) testing, they all seem to agree on the broad strokes of when the check happens.

  • MDN issue is filed:

    • This seems unnecessary for this change, but I'm happy to put together documentation if it's deemed helpful.

  • The top of this comment includes a clear commit message to use.

(See WHATWG Working Mode: Changes for more details.)

Preview | Diff

@mikewest
Introduce "override fetch".
f798b2c 
This change aims to explain how and when user agents intervene against
requests in order to protect users. It introduces a few stage in
Fetching, which gives user agents a clear hook after a set of
prerequisite checks (MIX, CSP, etc.) are performed in Main Fetch.

This was originally proposed (and is explained in a bit more detail) in
https://explainers-by-googlers.github.io/script-blocking/, and the
hook's details and exact positioning were informed by the discussion in
explainers-by-googlers/script-blocking#2.
@mikewest
Copy link
Member Author

mikewest commented Jul 9, 2025

Hey @annevk! This is my interpretation of your suggestion from explainers-by-googlers/script-blocking#2 (comment). Not at all an urgent request, but I'll appreciate feedback when you have time.

cc @domenic and @ZainabAq as an FYI, since y'all had excellent feedback on the original proposal.

@mikewest mikewest mentioned this pull request Jul 9, 2025
Closed
@mdanowar3

This comment was marked as spam.

Sign in to view
@mikewest
Copy link
Member Author

Friendly ping, @annevk: @slightlyoff asked about this in a thread on GitHub, so I would like to get it cleaned up and landed if it's still in-line with what you'd like to see.

annevk
annevk reviewed Jul 24, 2025
View reviewed changes
Copy link
Member

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for writing this up. I'd like to double check internally this is the kind of flexibility we are okay with, but generally this looks good to me. Based on that I left a number of editorial comments. I didn't spot anything wrong.

Would @bvandersloot-mozilla be a good person to okay this for Mozilla?

@mikewest
Copy link
Member Author

Thanks for the suggestions (and especially for those you fixed yourself!), I've run through all of them and hope the PR is in decent shape for your colleagues and @bvandersloot-mozilla, et al. to run through as well.

@MayyaSunil
Copy link

MayyaSunil commented Aug 18, 2025
edited
Loading

@mikewest We discussed this internally at Mozilla and are aligned with this change. Thank you for putting it together.

@mikewest
Copy link
Member Author

Thanks, @MayyaSunil! @annevk, anything to fix up from Apple's perspective?

@annevk
Copy link
Member

annevk commented Aug 18, 2025

No. I think for testing we should at least have some kind of issue filed. It doesn't have to be a WPT RFC though, unless Mozilla is interested in that.

@mikewest mikewest mentioned this pull request Aug 19, 2025
Open
@mikewest
Copy link
Member Author

Filed web-platform-tests/rfcs#227.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@annevk annevk annevk approved these changes

Assignees

@annevk annevk

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mikewest @mdanowar3 @MayyaSunil @annevk