commit c9839e85b66793b6209abf820c2cda8c07ee2157 Author: David Fifield david@bamsoftware.com Date: Fri Feb 15 14:29:54 2019 -0700

Set some safety defaults for fetch.

cache: "no-store" credentials: "omit" redirect: "manual"

cache: "no-store" adds these headers, which seem fine: Cache-Control: no-cache Pragma: no-cache --- webextension/background.js | 8 ++++++++ 1 file changed, 8 insertions(+)

diff --git a/webextension/background.js b/webextension/background.js index ba56e7f..fd39273 100644 --- a/webextension/background.js +++ b/webextension/background.js @@ -83,6 +83,7 @@ function roundtrip(id, request) { // Process the incoming request spec and convert it into parameters to the // fetch API. Also enforce some restrictions on what kinds of requests we // are willing to make. + // https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/f... let url; let init = {}; try { @@ -107,6 +108,13 @@ function roundtrip(id, request) { init.body = base64_decode(request.body); }

+ // Do not read nor write from the browser's HTTP cache. + init.cache = "no-store"; + // Don't send cookies. + init.credentials = "omit"; + // Don't follow redirects (we'll get resp.status:0 if there is one). + init.redirect = "manual"; + // TODO: Host header // TODO: strip Origin header? // TODO: proxy