[whatwg/fetch] Mark Accept-* request headers as simple / safe (#326) from Ruben Verborgh on 2016-06-22 (public-webapps-github@w3.org from June 2016)

From: Ruben Verborgh <notifications@github.com>
Date: Wed, 22 Jun 2016 13:55:54 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc:
Message-ID: <whatwg/fetch/issues/326@github.com>

I recently had a rather troublesome experience getting CORS to work with the Memento framework.

### Problem
[Memento (RFC7089)](https://tools.ietf.org/html/rfc7089) provides additional HTTP headers to perform time-based content negotiation. Concretely:
- client requests indicate their preference with `Accept-Datetime`
- server responses indicate the timestamp with `Memento-Datetime`

Negotiation can be performed in two ways [1]:
- the server redirects to the negotiated representation with `302`
- the server serves the negotiated representation with `200`
  (using `Content-Location` to indicate its URL)
For various reasons, `302`-style negotiation is preferred.

In contrast to regular content type and language negotiation, however, **it is impossible to make time-based content negotiation work in the browser cross-origin with `302`-style negotiation**.
This is because the Fetch spec requires that requests with [non-simple headers](https://lists.w3.org/Archives/Public/public-webappsec/2016Jan/0119.html) (such as `Accept-Datetime`) are preceded by a preflight `OPTIONS` request asking the server permission to use such headers.
Moreover, in cases that need such a preflight request, `30x` responses from the server are not accepted.

In other words: if the client wants to negotiate cross-origin on content type and language, `302` is allowed. If the client wants to negotiate cross-origin on time, `302` is not allowed and `200` is needed (which is not appropriate in several use cases).

### Proposed solution

**Could it be a considered to mark `Accept-*` headers safe on requests?** After all, no harm can be done with such headers (not more than with `Accept` or `Accept-Language`), so requiring preflight is not necessary.

### Practical use case

The practical discussion of such a use case can be found [here](http://ruben.verborgh.org/blog/2016/06/22/querying-history-with-linked-data/), together with a [live demo](http://bit.ly/artists-york-2012) that uses a [preflight performance hack](https://github.com/LinkedDataFragments/Client.js/commit/a0438531bbfcbd36aec04c73ab16e8d0279f3ef). A different but related discussion was held [here](https://lists.w3.org/Archives/Public/public-webappsec/2013Feb/0078.html).

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/326

Received on Wednesday, 22 June 2016 20:56:23 UTC