- From: Jonas Sicking <notifications@github.com>
- Date: Fri, 03 Jun 2016 11:13:35 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc:
- Message-ID: <whatwg/fetch/issues/313/223652761@github.com>
CORS is entirely a "security mechanism". It defines which headers (and, sadly header values) can be sent on incoming requests from 3rd parties. If you want servers to expect arbitrary values for these headers on requests from 3rd parties, and want servers to validate there are no values that have harmful side effects, then the appropriate thing is to whitelist these headers for *any* value. That way web developers have to expect incoming requests with any value from a 3rd party attacker since such an attacker can use `fetch()` or XHR to submit such requests. Note that because the CORS spec says that the `Content-Type` header currently only can contain `text/plain`, `application/x-www-form-urlencoded` or `multipart/form-data` we know of authors which has written server side code which relies on that these are the only content types that they will receive from 3rd parties. The reason we know was because we had bugs somewhere in our sendBeacon implementation (i think) which enabled sending other content-types and got bugs filed against us specifically referencing the requirement on the `Content-Type` header in the spec. Sadly I don't remember the details, nor am I able to find the bug. --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/313#issuecomment-223652761
Received on Friday, 3 June 2016 18:14:07 UTC