Re: [fetch] CSP Request Header and CORS preflight fetch. (#52)

Agreed about `Last-Event-ID` being feature level and that does indeed argue for it being a "simple header", but that also creates the problem I illustrated. Up until now servers could assume it contains an ID they controlled, and the moment it becomes a "simple header" it can be any value an attacker wants.

What does Chrome's network security team think about that? I'm also not sure what Mozilla thinks on this matter, FWIW. It's always a little muddy on the edges of the same-origin policy.

---
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/52#issuecomment-185635748

Received on Thursday, 18 February 2016 10:04:15 UTC