[whatwg/fetch] Listing headers safe only for certain values is a bad idea (#313)

I just noticed that the headers `DPR`, `Downlink`, `Save-Data`, `Viewport-Width` and `Width` have been listed as "safe" headers only for certain values.

I think this is a bad idea. Having only certain values be considered safe introduces complexity in a security API. This increases the risk that something will go wrong and that security bugs will ensue.

Consider for example https://bugs.chromium.org/p/chromium/issues/detail?id=490015 which is a recent example of a case where such complexity has lead to a security bug which has remained in Chrome for over a year and which is unclear if it will ever get fixed.

Another reason to not consider these headers safe only for certain values is that the set of values is bound to change over time. As the specification for those headers evolve over time, so will the the set of values that will parse successfully.

Are we expecting website developers to constantly monitor these specifications and adjust their server side code as it can get exposed to new request headers?

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/313

Received on Thursday, 2 June 2016 19:52:39 UTC