- From: Jake Archibald <notifications@github.com>
- Date: Thu, 05 Apr 2018 11:03:38 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 5 April 2018 11:04:45 UTC
"request-no-cors" header objects can contain 'privileged' headers such as `Range`, if they're set by a privileged API. If the headers are mutated, the privileged headers are removed:
```js
headers.has('Range'); // true
headers.set('Accept-Language', 'Geordie');
headers.get('Accept-Language'); // Geordie
headers.has('Range'); // false
```
But I'm trying to figure out what happens if the developer adds/modifies a privileged header:
* `headers.append('Range', 'blah')` - No-op. Privileged headers remain.
* `headers.delete('Range')` - All privileged headers removed.
* `headers.set('Range', 'blah')` - This is the tricky one. I'm leaning towards removing all privileged headers.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/560#issuecomment-378899102
Received on Thursday, 5 April 2018 11:04:45 UTC