- From: Jonas Sicking <notifications@github.com>
- Date: Wed, 13 Apr 2016 00:13:59 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
Received on Wednesday, 13 April 2016 07:14:27 UTC
I'm not proposing that we move `authorization` to the forbidden-header-name list. `Access-control-allow-headers: authorization` currently allows the `authorization` header to be set, and I think we should let that continue to be the case. Changing that would risk breaking existing content and I see little reason to do that. I'm suggesting that `Access-control-allow-headers: *` should *not* allow the `authorization` header to be sent to the server. Since it's very easy for developers to miss the fact that `Access-control-allow-headers: *` would allow distributed brute-force of credentials. We should figure out what syntax should be used if a website *really* want to allow all headers, including the `authorization` header, to be set. One obvious proposal would be `Access-control-allow-headers: *, authorization`, but I'm open to other proposals too. --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/251#issuecomment-209265586
Received on Wednesday, 13 April 2016 07:14:27 UTC