Re: [whatwg/fetch] CORS request-header Content-Type check should be on a combined value (#748) from Anne van Kesteren on 2018-11-13 (public-webapps-github@w3.org from November 2018)

From: Anne van Kesteren <notifications@github.com>
Date: Tue, 13 Nov 2018 05:30:08 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/748/438265959@github.com>

So I think the main problem is in https://fetch.spec.whatwg.org/#concept-headers-append. If you do
```js
headers.append("Content-Type", "s".repeat(127));
headers.append("Content-Type", "s".repeat(127));
```
both calls will succeed for a `Headers` object with guard "`request-no-cors`".

@yutakahirano I guess we need to combine first into some temporary value, validate that, and only if that's okay do the append?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/748#issuecomment-438265959

Received on Tuesday, 13 November 2018 13:30:29 UTC