Skip to content

[css-values-4] Use "include" when fetching cross-origin CSS resources #12074

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 30, 2025
Merged

[css-values-4] Use "include" when fetching cross-origin CSS resources #12074

merged 2 commits into from
Apr 30, 2025

Conversation

@noamr
Copy link
Collaborator

@noamr noamr commented Apr 14, 2025

This matches existing implementation, and was a bug in the existing spec.

Closes #12073

[css-spec-shortname-1] Brief description which should also include the #issuenum-or-URL and/or link to relevant CSSWG minutes.

Copy the above line into the Title and replace with the relevant details. Fill in any additional details here. See https://github.com/w3c/csswg-drafts/blob/master/CONTRIBUTING.md for more info.

@noamr
[css-values-4] Use "include" when fetching cross-origin CSS resources
5eea70d 
This matches existing implementation, and was a bug in the
existing spec.

Closes w3c#12073
@noamr noamr requested a review from fantasai April 14, 2025 14:59
@weinig
Copy link
Contributor

weinig commented Apr 14, 2025

If you make this change, you'll also need to update CSS Values 5 to specify what do for crossorigin(anonymous) as it currently just uses the default (https://drafts.csswg.org/css-values-5/#typedef-request-url-modifier-crossorigin-modifier).

@noamr
Copy link
Collaborator Author

noamr commented Apr 15, 2025

If you make this change, you'll also need to update CSS Values 5 to specify what do for crossorigin(anonymous) as it currently just uses the default (https://drafts.csswg.org/css-values-5/#typedef-request-url-modifier-crossorigin-modifier).

You're right! Not just that, but existing callers that use |corsMode| = "cors" would receive the wrong credentials mode.
Amended so that:

  • The URL modifiers in css-values-5 explicitly set same-origin when anonymous
  • The default for cors-mode is anonymous, and only the no-cors default changes to use-credentials.

This was referenced Apr 17, 2025
Closed
Closed
@tabatkins tabatkins merged commit fc52569 into w3c:main Apr 30, 2025
1 check passed
@AtkinsSJ AtkinsSJ mentioned this pull request May 3, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@tabatkins tabatkins tabatkins approved these changes

@fantasai fantasai Awaiting requested review from fantasai

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[css-values-4][css-images-4] Style resource fetching should probably use credential mode "include" in the default case

3 participants

@noamr @weinig @tabatkins