Re: [fetch] CSP Request Header and CORS preflight fetch. (#52) from Anne van Kesteren on 2015-05-18 (public-webapps-github@w3.org from May 2015)

From: Anne van Kesteren <notifications@github.com>
Date: Sun, 17 May 2015 20:08:04 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/52/102905430@github.com>

I see three problems. 1. It's not clear when this header is supposed to be set and therefore it's not clear whether e.g. service workers are supposed to be able to observe it. 2. This header can be set by `fetch()` and `XMLHttpRequest` because it is not prefixed with `Sec-` so you need to handle duplicates somehow when you set it. 3. It's not clear whether including this header cross-origin is a security risk or not and therefore whether we should preflight it. So far we have answered yes to this question.

---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/52#issuecomment-102905430

Received on Monday, 18 May 2015 03:08:32 UTC