Re: [whatwg/fetch] Allow custom headers on no-cors requests (#380)

> Changing the default mode or the behaviour of no-cors feels risky, and I'm not sure how we'd evaluate that risk.

Adding another mode complicates the platform and API surface, though.

Today we have:

1. Create no-cors request
2. Add custom header to request
3. Custom header is thrown away
4. Request fetches cross-origin
5. Server does not see custom header

If we moved where the stripping occurs, we would have:

1. Create no-cors request
2. Add custom header to request
3. Request fetches cross-origin
4. Custom header is thrown away
5. Server does not see custom header

The end result is that the server does not see it.  This seems much nicer than adding yet another mode and is consistent with how we are building other no-cors restrictions in fetch.

I'd be curious what risks people have in mind that would prevent this.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/380#issuecomment-382934062

Received on Friday, 20 April 2018 01:25:59 UTC