- From: Yoav Weiss <notifications@github.com>
- Date: Mon, 05 Nov 2018 13:40:19 +0000 (UTC)
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 5 November 2018 13:40:41 UTC
Yeah, adding CORS request headers to the safelist has been a somewhat painful process. I'd be fine with requiring all future hints to switch to using a `Sec-CH` prefix (or just a `CH-` prefix, as it used to be defined back in the day) to avoid extending the list further and further. It might even be possible for us to migrate current users to the prefixed values. > Reportedly the client hints community also wants to be able to control these headers at times so `Sec-` wouldn't work for them. https://github.com/whatwg/fetch/labels/topic%3A%20client%20hints has all the relevant Fetch discussion on this topic. At least the hints that Mike is discussing have no reasonable use-case for user-side manipulations. I need to revisit the user-side manipulations use-case and see if we can't: * Have the browser set `Sec-CH-X` headers that are safelisted by default * Have users set `X` headers, which are not -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/320#issuecomment-435876743
Received on Monday, 5 November 2018 13:40:41 UTC