- From: Emily Stark <notifications@github.com>
- Date: Thu, 26 Oct 2017 14:39:22 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/621@github.com>
As discussed in https://github.com/whatwg/fetch/issues/567, browsers have
allowed various cross-origin requests with non-safelisted Content-Type header
values to be sent without CORS preflights. These have occurred either by
accident (and now can't be reversed for compatibility reasons) or because of
design constraints (requests that are implemented outside of the web platform
layer). These CORS exceptions are believed to be safe, but the spec should
document them so that servers know to expect them.
I've added a note about the Content-Type exceptions, but haven't added them to
the safelist, because doing so would imply that web content can trigger
requests with these Content-Type headers and arbitrary bodies. We don't want to
allow fully attacker-controlled requests with these headers, but rather just
want to document the current state where web content can trigger the requests
but not control the headers or bodies.
You can view, comment on, or merge this pull request online at:
https://github.com/whatwg/fetch/pull/621
-- Commit Summary --
* Document CORS safelist exceptions
-- File Changes --
M fetch.bs (8)
-- Patch Links --
https://github.com/whatwg/fetch/pull/621.patch
https://github.com/whatwg/fetch/pull/621.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/621
Received on Thursday, 26 October 2017 14:39:54 UTC