commit 830375ad31990fab1d8df24b9ad9447e4a0301e4 Author: David Fifield david@bamsoftware.com Date: Fri Feb 15 14:29:54 2019 -0700
Set some safety defaults for fetch.
cache: "no-store" credentials: "omit" redirect: "manual"
cache: "no-store" adds these headers, which seem fine: Cache-Control: no-cache Pragma: no-cache --- webextension/background.js | 8 ++++++++ 1 file changed, 8 insertions(+)
diff --git a/webextension/background.js b/webextension/background.js index ba56e7f..fd39273 100644 --- a/webextension/background.js +++ b/webextension/background.js @@ -83,6 +83,7 @@ function roundtrip(id, request) { // Process the incoming request spec and convert it into parameters to the // fetch API. Also enforce some restrictions on what kinds of requests we // are willing to make. + // https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/f... let url; let init = {}; try { @@ -107,6 +108,13 @@ function roundtrip(id, request) { init.body = base64_decode(request.body); }
+ // Do not read nor write from the browser's HTTP cache. + init.cache = "no-store"; + // Don't send cookies. + init.credentials = "omit"; + // Don't follow redirects (we'll get resp.status:0 if there is one). + init.redirect = "manual"; + // TODO: Host header // TODO: strip Origin header? // TODO: proxy