<request-url-modifier>s mutate a request's mode, credentials mode, integrity metadata, and referrer policy. The fetch a style resource algorithm applies them in step 5, after the consumer's corsMode argument has already been baked into the request in step 4. As a result, the supplied modifiers always win over the consumer's choice.
But several consumer specs normatively mandate Anonymous mode:
all have this line, in some shape or form:
When fetching, user agents must use “Anonymous” mode, set the referrer source to the stylesheet’s URL and set the origin to the URL of the containing document.
Under the current spec text, e.g.: mask-image: url("https://other.example/secret.png" cross-origin(use-credentials)); would credentialize the fetch, contradicting css-masking §11, similarly applicable to all other examples above.
This question was raised before, by @emilio in this discussion:
<emeyer> emilio: I just realized we force crossorigin to be anonymous for CSS already
<emeyer> …We need to define whether you can override it; I don’t think you should be able to
...
<emeyer> …Masks, for example, require anonymous crossorigin loads
<emeyer> …So we should define that
<emeyer> TabAtkins: I don’t think they’re defined in a way that hooks into these, so we need to review that
I'd like to ask for a clarification on what should apply here. From the fetch algorithm, author modifiers win. But that's not obvious from the spec text (at least to me) and contradicts the four consumer specs above. Could the editors clarify the intended precedence?
cc @noamr @weinig @tabatkins @AmeliaBR @emilio @AtkinsSJ, related to: #1603
<request-url-modifier>s mutate a request's mode, credentials mode, integrity metadata, and referrer policy. The fetch a style resource algorithm applies them in step 5, after the consumer's corsMode argument has already been baked into the request in step 4. As a result, the supplied modifiers always win over the consumer's choice.
But several consumer specs normatively mandate Anonymous mode:
mask-image,mask-border-source,clip-pathshape-outside: <image>filter: url(#...)@font-faceall have this line, in some shape or form:
Under the current spec text, e.g.:
mask-image: url("https://other.example/secret.png" cross-origin(use-credentials));would credentialize the fetch, contradicting css-masking §11, similarly applicable to all other examples above.This question was raised before, by @emilio in this discussion:
I'd like to ask for a clarification on what should apply here. From the fetch algorithm, author modifiers win. But that's not obvious from the spec text (at least to me) and contradicts the four consumer specs above. Could the editors clarify the intended precedence?
cc @noamr @weinig @tabatkins @AmeliaBR @emilio @AtkinsSJ, related to: #1603