Skip to content

Set fetch mode to cors for image resource fetching#50

Open
marcoscaceres wants to merge 5 commits intomainfrom
cors-mode-default
Open

Set fetch mode to cors for image resource fetching#50
marcoscaceres wants to merge 5 commits intomainfrom
cors-mode-default

Conversation

@marcoscaceres
Copy link
Copy Markdown
Member

@marcoscaceres marcoscaceres commented Apr 10, 2026
edited by pr-preview Bot
Loading

Summary

The "fetching an image resource" algorithm currently does not set a request mode, which defaults to no-cors. This means cross-origin servers don't need to opt-in to having their resources used as image resources.

This PR makes three changes to the algorithm:

  1. Add optional mode parameter (default "cors", restricted to "cors" or "same-origin"). This lets callers opt for stricter same-origin fetching when needed, while defaulting to cors.
  2. Set mode unconditionally, outside the if request is undefined branch, so it applies whether the algorithm creates the request or a caller passes one in.
  3. Replace TypeError with asserts for the client null-check and mode validation. The algorithm can be called from UA-internal contexts (e.g., manifest processing) where throwing a TypeError is meaningless. Asserts correctly signal spec bugs rather than runtime errors.

Rationale

  • Cross-origin servers must consent via Access-Control-Allow-Origin headers for their resources to be usable.
  • This aligns with the web platform's direction of requiring explicit opt-in for cross-origin resource sharing (COEP, COOP, etc.).
  • It matches Firefox's existing implementation (mode: "cors" in ManifestIcons.sys.mjs).

Context

This came up during review of w3c/manifest#1171, which adds a normative requirement for user agents to fetch manifest image resources using this algorithm. Checking browser implementations:

  • Firefox: explicitly sets mode: "cors" when fetching manifest icons.
  • Chrome: uses DownloadImageInFrame through the document frame (mode handling is internal).
  • WebKit: currently bypasses the document context entirely (webkit.org/b/311872).

With no-cors, a manifest author can reference cross-origin icon URLs that cause the user agent to make requests to servers that haven't opted in. While a simple GET still reaches the server regardless of mode, cors ensures the response is a network error without CORS headers, making the icon unusable. This disincentivizes using arbitrary third-party URLs as icon sources and is consistent with how fetch() itself defaults to cors.

Preview | Diff

@marcoscaceres marcoscaceres mentioned this pull request Apr 10, 2026
Merged
3 tasks
@marcoscaceres marcoscaceres requested a review from Copilot April 10, 2026 01:32
Copilot AI reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the “fetching an image resource” algorithm to explicitly set the Fetch request’s mode to cors, requiring cross-origin servers to opt in via CORS headers for image resources to be usable.

Changes:

  • Set request/Mode to "cors" when creating a new request in the image resource fetch algorithm.
  • Expand the accompanying note to explain the CORS opt-in rationale.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread index.html Outdated
@marcoscaceres marcoscaceres requested a review from Copilot April 10, 2026 04:49
Copilot AI reviewed Apr 10, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 4 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread index.html
Comment thread index.html Outdated
Comment thread index.html
Comment thread index.html Outdated
marcoscaceres and others added 5 commits April 10, 2026 15:19
@marcoscaceres
Set request mode to cors in fetching an image resource algorithm
244aaa8
@marcoscaceres @claude
Move cors mode outside conditional branch
d1edafd 
Setting mode to "cors" unconditionally ensures that all image
resource fetches use CORS, regardless of whether the caller
passes a pre-configured Request or lets the algorithm create one.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@marcoscaceres @claude
Add mode parameter, replace TypeError with asserts
2144d01 
- Add optional mode parameter (default "cors"), restricted to
  "cors" or "same-origin" via assert.
- Replace TypeError on null client with assert, since callers
  like the manifest spec are UA-internal algorithms where
  throwing a TypeError is meaningless.
- Move mode assignment outside the conditional branch so it
  applies unconditionally to all requests.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@marcoscaceres @claude
Fix xref errors for mode string values
283850c 
"cors" and "same-origin" are string literals, not defined terms.
Use backtick code formatting instead of [=...=] cross-references.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@marcoscaceres @claude
Fix capitalization of request/Mode for consistency
e0139e6 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
marcoscaceres added a commit to marcoscaceres/html that referenced this pull request Apr 10, 2026
@marcoscaceres
Pass document's relevant settings object when processing a manifest
3127de1 
The Web App Manifest spec's "processing a manifest" algorithm now
accepts an optional environment settings object (client) parameter,
used to set the request client when fetching manifest image resources.
This enables CSP and service worker interception for those fetches.

Pass the link element's node document's relevant settings object as
the client parameter when invoking "process the manifest".

See: w3c/manifest#1171
See: w3c/image-resource#50
@marcoscaceres marcoscaceres mentioned this pull request Apr 10, 2026
Merged
6 tasks
@marcoscaceres marcoscaceres mentioned this pull request Apr 13, 2026
Open
saschanaz
saschanaz reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@saschanaz saschanaz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think ManifestIcons.sys.mjs is dead code right now, we do use ManifestObtainer but then the actual code path to get the icon is this which doesn't really care about manifest. And per the title of https://phabricator.services.mozilla.com/D279402 we definitely don't use manifest icon.

@marcoscaceres
Copy link
Copy Markdown
Member Author

marcoscaceres commented May 2, 2026

@copilot can you check @saschanaz’s comment above against geckos code? What are some suggestions for how we should proceed?

annevk pushed a commit to whatwg/html that referenced this pull request May 2, 2026
@marcoscaceres
Pass node document's relevant settings object when processing a manifest
f4b0470 
The Web App Manifest spec's "processing a manifest" algorithm now accepts an optional environment settings object (client) parameter, used to set the request client when fetching manifest image resources. This enables CSP and service worker interception for those fetches.

See w3c/manifest#1171 & w3c/image-resource#50 for context.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@saschanaz saschanaz saschanaz left review comments

Copilot code review Copilot Copilot left review comments

@dmurph dmurph Awaiting requested review from dmurph

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@marcoscaceres @saschanaz