- From: Ilya Grigorik <notifications@github.com>
- Date: Fri, 03 Jun 2016 09:58:44 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc:
- Message-ID: <whatwg/fetch/issues/313/223634145@github.com>
> I just noticed that the headers DPR, Downlink, Save-Data, Viewport-Width and Width have been listed as "safe" headers only for certain values. > > I think this is a bad idea. Having only certain values be considered safe introduces complexity in a security API. This increases the risk that something will go wrong and that security bugs will ensue. This statement is not obvious to me. IETF specs define the grammar for particular fields, it seems reasonable for user agents to validate provided values against said definitions and reject values that do not conform to the spec -- this process, by itself, does not _increase_ risk of security bugs. However, it's probably also true that this mechanism should not be considered as a "security mechanism" either: - Many field definitions allow effectively arbitrary data to be sent - Some fields may be more strict but these same fields may change in the future to allow other values Which is to say, even if the user agent enforces some checks, the server must still validate all input fields and cannot and should not count on the user agent to "protect it". So yes, website developers _should_ monitor and enforce their own rules with regards to what values are allowed by specification or their particular implementation. --- @sicking what is your alternative proposal? Are you suggesting that we should skip UA validation entirely and defer to the server? --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/313#issuecomment-223634145
Received on Friday, 3 June 2016 16:59:12 UTC