Re: [fetch] referrer same-origin constraint is a footgun for people trying to "copy" a Request (#245) from Ben Kelly on 2016-03-14 (public-webapps-github@w3.org from March 2016)

From: Ben Kelly <notifications@github.com>
Date: Mon, 14 Mar 2016 07:48:40 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/245/196346325@github.com>

> Bad header values in CORS result in a network error. Forbidden headers throw in the Headers classd (and invalid values are accepted without question, not ignored).

This confuses me.  Steps 4 to 6 of Headers append algorithm are:

> 4) Otherwise, if guard is "request" and name is a forbidden header name, return. 
> 5) Otherwise, if guard is "request-no-cors" and name/value is not a simple header, return. 
> 6) Otherwise, if guard is "response" and name is a forbidden response-header name, return. 

None of those throw.  We only throw for immutable headers or if the name/value contain illegal characters.

---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/245#issuecomment-196346325

Received on Monday, 14 March 2016 14:49:08 UTC