Re: [whatwg/fetch] Mark Accept-* request headers as simple / safe (#326) from Ruben Verborgh on 2016-06-23 (public-webapps-github@w3.org from June 2016)

From: Ruben Verborgh <notifications@github.com>
Date: Thu, 23 Jun 2016 09:57:45 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc:
Message-ID: <whatwg/fetch/issues/326/228113901@github.com>

Thanks!

> To determine whether harm can be done with Accept-*, one would theoretically have to study all servers in existence.

I don't agree: it's the other way round: servers have to study the Fetch spec (which scales better than studying all servers). If a server sets `Access-Control-Allow-Origin`, it is the server's responsibility to be aware what the client is allowed to do. And even though there can be an infinite amount of `Accept- *` headers, I think it's fair to say there's not a single one of them that would make a request non-safe (in the HTTP sense). I mean, we're not talking about `X-HTTP-Method-Override` or similar. Could there be a discussion on what headers are considered safe and why?

> Per the current standard if you reply to the preflight with an appropriate 200, you can reply to the actual request with a 302. 

That's great, I didn't know that!

However, it does not fully solve the performance issue of the Memento case, where the client makes a list of requests (all using the `Accept-Datetime` header):
- http://fragments.dbpedia.org/2015/en
- http://fragments.mementodepot.org/timegate/dbpedia
- http://fragments.mementodepot.org/dbpedia_201510?queryA
- http://fragments.mementodepot.org/dbpedia_201510?queryB
- http://fragments.mementodepot.org/dbpedia_201510?queryC
- …

Even though only 1 of these requests would result in a 302, each of the requests to `http://fragments.mementodepot.org/dbpedia_201510?query��` requires an individual `OPTIONS` preflight request, which doubles the number of total requests.

> Ah, some bugs were filed in #204 (comment). I can file one against WebKit.

Thanks for this!

However, for the reason above, I would still be interested in an option where the range of safe headers can be extended; if not in the spec, then at least server-wide. Any other thoughts on this?

---
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/326#issuecomment-228113901

Received on Thursday, 23 June 2016 16:58:27 UTC