Re: [fetch] CSP Request Header and CORS preflight fetch. (#52)

The goal is to inform a page that any redirect they perform is potentially observable (in a binary "Happened" or "Didn't happen." sense). We plugged the whole which made the endpoint completely observable, so I've been less interested in figuring out this header, as it's less valuable than it used to be.

That said:

1. It should reflect the state of the thing that's making the request, and therefore the thing that can observe redirects. That is, if a Document sends a request, and it passes through a service worker, the header should be present. If a SW intercepts a request from that Document, and then sends it's own request in order to fulfill it, then the header would be present iff the service worker had an active policy.

2. That seems fine. The value of the header is immaterial; it's `1` at the moment, but could just as easily be `1,1,1,1,1,1` or `lkjahfklj;dvsnf`. That might change in the future if we actually use the header for anything interesting, but for now, presence is enough.

3. I doubt it is, but, I also didn't think that an `HTTPS` header would be dangerous, so, what do I know?

---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/52#issuecomment-125214118

Received on Monday, 27 July 2015 13:54:39 UTC