- From: Mike West <notifications@github.com>
- Date: Mon, 06 Nov 2017 15:40:22 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/621/review/74456501@github.com>
mikewest approved this pull request. LGTM % one addition. Given that the reporting requests can/will contain data from multiple origins (e.g. `reports.google.com` might receive reports from events on `youtube.com`, `google.com`, `docs.google.com`, etc), are completely controlled by the browser as opposed to the page, and are uncredentialed, preflights do not add significant value. Documenting these shipping exceptions seems pretty reasonable to me. Anne's suggestion that we add links to explanatory documents when possible makes sense to me as well. > @@ -2226,6 +2229,20 @@ Access-Control-Allow-Credentials: true</pre> ignored. </div> +<h4 id=cors-protocol-exceptions>CORS protocol exceptions</h4> + +<p>Specifications have allowed limited exceptions to the CORS safelist for non-safelisted +`<code>Content-Type</code>` header values. These exceptions are made for requests that can be +triggered by web content but whose headers and bodies can be only minimally controlled by the web +content. Therefore, servers should expect cross-origin web content to be allowed to trigger +non-preflighted requests with the following non-safelisted `<code>Content-Type</code>` header +values: `<code>application/csp-report</code>`, `<code>application/report</code>`, +`<code>application/expect-ct-report+json</code>`, and `<code>application/ocsp-request</code>`. Chrome also sends [`application/xss-auditor-report`](https://cs.chromium.org/chromium/src/third_party/WebKit/Source/core/loader/PingLoader.cpp?rcl=898669974e9ce0867e3dc80fe9385de8983a77ce&l=298). -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/621#pullrequestreview-74456501
Received on Monday, 6 November 2017 15:40:45 UTC