- From: Yoav Weiss <notifications@github.com>
- Date: Tue, 21 Aug 2018 02:43:53 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/800@github.com>
During an [IRC discussion](https://freenode.logbot.info/whatwg/20180821#c1673098) about https://github.com/whatwg/fetch/pull/773, @annevk brought up a few points we need to consider when it comes to CH processing: * If we want to make sure that CH headers are not sent on cross-origin request headers, including cross-origin redirects, we need to have origin checks relatively low in the stack and only add those headers there. * However, that would mean that the headers will not be exposed to service workers, which would limit some of their use-cases. * An alternative would be to add the headers up the stack and remove them further down for cross-origin redirects, but that would mean we'd also remove them for user-added CH headers. It'd also mean that CH is the first feature introducing header removal. So, we need to decide on the trade-off between privacy, usability and functionality here: * How awful would it be to send CH to cross-origin redirects? * If the answer to the above is "really awful", we need to find a way to avoid doing that without harming SW use of CH as well as user-added CH headers. Personally, I think the SW use case is more important than the user-added headers case. @igrigorik @arturjanc - thoughts? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/800
Received on Tuesday, 21 August 2018 09:44:16 UTC