Re: [whatwg/fetch] Listing headers safe only for certain values is a bad idea (#313) from John Wilander on 2016-09-07 (public-webapps-github@w3.org from September 2016)

From: John Wilander <notifications@github.com>
Date: Wed, 07 Sep 2016 09:57:48 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Message-ID: <whatwg/fetch/issues/313/245347386@github.com>

Sorry for joining late. We are moving the https://github.com/whatwg/fetch/issues/382 discussion here.

@sicking I read your position as "Browser restrictions on CORS header values 1) will make servers rely on them and thus result in poor server input validation, and 2) will result in more security bugs filed against browsers." True?

Servers that depend on browser enforced header values might as well result in _better_ server-side input validation, right? For the Content-Type header, the current restriction might as well result in the server comparing with an enum and accepting nothing else.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/313#issuecomment-245347386

Received on Wednesday, 7 September 2016 16:58:15 UTC