- From: Anne van Kesteren <notifications@github.com>
- Date: Fri, 24 Aug 2018 07:24:30 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 24 August 2018 14:24:52 UTC
I posted my thoughts here: https://freenode.logbot.info/whatwg/20180824#c1678383. TL;DR is that the extending-SOP-exceptions concern can probably be ignored for now, though we should add tests to ensure values are adequately validated and preflighted as appropriate. (SW wouldn't see these headers if we added them at a late point, avoiding the need to have to remove them. OP doesn't mention it, but removing request headers is somewhat unprecedented at the moment, though #609 will change that as well.) Another concern not mentioned here is that we need to deal with the case where these headers were already set by the developer. If a developer sets `DPR` a browser would end up appending to it with the current wording. Is that desired? I'd argue it's better to avoid that and only set the header if it's not already set. (We need tests for this too.) For the concerns mentioned in OP, it sounds like setting the headers early and potentially removing them upon redirects, even if they were developer-set, is the away to go. Hope this helps. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/800#issuecomment-415774670
Received on Friday, 24 August 2018 14:24:52 UTC