- From: roryhewitt <notifications@github.com>
- Date: Fri, 18 Mar 2016 11:12:02 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/253/198477626@github.com>
Hey Jonas, That's a good question! I don't have a good example, because I don't think there is one. This is why I'm frustrated by the current AC-Expose-Headers - it was (I think) the wrong solution. In short, AC-Expose-headers is a whitelisting mechanism - it defines which of the sent headers should be exposed to client-side code. Well in what cases would there be a header which you do want to send, but which you don't want to expose? Presumably there are such cases, because AC-Expose-Headers was created based on feedback from mnot (who works with me at Akamai!). Prior to AC-Expose-Headers being created, presumably all response headers were exposed, and there wa sa concern that perhaps some of them should not be. well in that case, perhaps a better mechanism would be AC-Suppress-headers, where users can blacklist certain headers, leaving all others exposed. At least, that's my thinking. On Fri, Mar 18, 2016 at 12:28 AM, Jonas Sicking <notifications@github.com> wrote: > Can you provide an example of when you wouldn't want a certain header to > be exposed? But you still want to send that header to the client? > > I.e. if there are certain headers that you know you don't want the client > to see, why send them at all? > > — > You are receiving this because you authored the thread. > Reply to this email directly or view it on GitHub > <https://github.com/whatwg/fetch/issues/253#issuecomment-198239459> > -- Rory Hewitt http://www.linkedin.com/in/roryhewitt --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/253#issuecomment-198477626
Received on Friday, 18 March 2016 18:12:29 UTC