Re: [whatwg/fetch] Strengthen requirements on CORS-safelisted request-headers (#736)

@yutakahirano I looked at all callers of CORS-safelisted request-header and considered an alternative design whereby the input is a header list and the output is a list of headers that are not safelisted. That way we could have an overall size limit and if it is reached we'd just not safelist anything.

However, the one problem with this approach is the `Headers` object and its "`request-no-cors`" guard. That fundamentally requires per-header decisions. I don't think we can delay that check and there's no CORS-preflight fetch fallback either.

Perhaps the solution to that is that we freeze "`request-no-cors`" to `Accept`, `Accept-Language`, `Content-Language`, and `Content-Type`, with the 128 header value byte limit. That seems good as I don't think we want to continue to expand the API surface of `no-cors`. And then for the CORS protocol we impose an overall 1024 byte limit (and perhaps have the per-header limit as well?).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/736#issuecomment-392540660

Received on Monday, 28 May 2018 14:24:23 UTC