Skip to content

Introduce "override fetch". #1840

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Introduce "override fetch". #1840

wants to merge 1 commit into from

Conversation

mikewest
Copy link
Member

@mikewest mikewest commented Jul 9, 2025
edited by pr-preview bot
Loading

This change aims to explain how and when user agents intervene against requests in order to protect users. It introduces a few stage in Fetching, which gives user agents a clear hook after a set of prerequisite checks (MIX, CSP, etc.) are performed in Main Fetch.

This was originally proposed (and is explained in a bit more detail) in https://explainers-by-googlers.github.io/script-blocking/, and the hook's details and exact positioning were informed by the discussion in explainers-by-googlers/script-blocking#2.

  • At least two implementers are interested (and none opposed):

    • Multiple browsers ship this kind of behavior (whether in the form of Safe Browsing, tracking protection, etc). The brief discussion in Location of this check explainers-by-googlers/script-blocking#2 suggests that there's interest in standardizing the broad strokes of the behavior by providing this implementation-defined hook.

  • Tests are written and can be reviewed and commented upon at:

    • The exact set of resources against which user agents intervene is not (and likely cannot be) standardized. https://explainers-by-googlers.github.io/script-blocking/#testing suggests one approach to testing which might allow vendors to verify that their interventions are consistently positioned within Fetch, but that infrastructure hasn't yet been built or agreed-upon. If there's interest in doing so, I'll happily file an issue against web-platform-tests/rfcs to discuss.

  • Implementation bugs are filed:

    • As above, all browsers currently ship something like this. In my (limited) testing, they all seem to agree on the broad strokes of when the check happens.

  • MDN issue is filed:

    • This seems unnecessary for this change, but I'm happy to put together documentation if it's deemed helpful.

  • The top of this comment includes a clear commit message to use.

(See WHATWG Working Mode: Changes for more details.)

Preview | Diff

@mikewest
Introduce "override fetch".
f798b2c 
This change aims to explain how and when user agents intervene against
requests in order to protect users. It introduces a few stage in
Fetching, which gives user agents a clear hook after a set of
prerequisite checks (MIX, CSP, etc.) are performed in Main Fetch.

This was originally proposed (and is explained in a bit more detail) in
https://explainers-by-googlers.github.io/script-blocking/, and the
hook's details and exact positioning were informed by the discussion in
explainers-by-googlers/script-blocking#2.
@mikewest
Copy link
Member Author

mikewest commented Jul 9, 2025

Hey @annevk! This is my interpretation of your suggestion from explainers-by-googlers/script-blocking#2 (comment). Not at all an urgent request, but I'll appreciate feedback when you have time.

cc @domenic and @ZainabAq as an FYI, since y'all had excellent feedback on the original proposal.

@mikewest mikewest mentioned this pull request Jul 9, 2025
Closed
@mdanowar3

This comment was marked as spam.

Sign in to view
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@mikewest @mdanowar3