- From: Anne van Kesteren <notifications@github.com>
- Date: Thu, 23 Jun 2016 23:50:43 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc:
Received on Friday, 24 June 2016 06:51:11 UTC
> Could there be a discussion on what headers are considered safe and why? Per the Fetch standard almost no header is safe since historically almost no header could be transmitted across origins. Browsers have been carving out exceptions, but only for headers with specific values. It's vastly unclear what is safe to do here and what is unsafe so we error on the side of caution. The idea that servers should just study the Fetch standard and we can add more same-origin policy exemptions over time is not workable. We cannot just put them at new risks tomorrow they were not facing today. It's a tradeoff of course, but the idea doesn't work as policy. Perhaps there is a prefix we can agree on that is the opposite of `Sec-` that you can use without a CORS-preflight though. If there is some agreement that is not a significant enough risk. --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/326#issuecomment-228271035
Received on Friday, 24 June 2016 06:51:11 UTC