On Fri, Jun 9, 2017 at 7:42 AM, Martin Thomson <martin.thomson@gmail.com> wrote: > On 9 June 2017 at 16:38, Emily Stark <estark@google.com> wrote: > > Does anyone else have an opinion? If not, I'll probably go with > text/plain. > > > After considering this, I would prefer to have this added to the CORS > exception list in the same way that CSP reporting is. It is better to > have an accurate MIME type with an exception and accompanying analysis > of why it is safe to send these payloads than it is to just have the > spec try to route around the problem (tempting and easy as that might > be). > CSP reporting isn't added to the CORS whitelist. It's been in violation of CORS for years and there are some vague plans to fix it by sending preflights, but adding it to the whitelist hasn't really been discussed. Anne has said that he prefers not to add more to the whitelist, which I think is a reasonable stance. (see https://lists.w3.org/Archives/Public/public-webappsec/2017Feb/0009.html -- though to be fair, the same text/plain idea is rejected in that thread as well) In addition to the fact that there's not really any principled reason for expanding the whitelist, it would mean that, say, an XHR can send the new header value, which shouldn't really be allowed.
Received on Friday, 9 June 2017 14:54:39 UTC