Re: [whatwg/fetch] CORS: arbitrary blocking of accept header based on length (#862) from Pieter Colpaert on 2019-01-29 (public-webapps-github@w3.org from January 2019)

From: Pieter Colpaert <notifications@github.com>
Date: Tue, 29 Jan 2019 05:36:16 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/862/458541778@github.com>

@annevk Would you be open to one of the following suggestions?

#### Suggestion 1: set the number of bytes to a higher value?

Then at least the basic javascript querying applications using conneg intensively keep working

#### Suggestion 2: don’t block but alter the request

Don’t block the request, but instead, remove the accept header from the request when the OPTIONS header doesn’t allow the accept header explicitly and send it anyway.

This makes sense as this way servers that don’t support certain headers also don’t need to expose them in their allowed headers in order for clients that do support them to work.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/862#issuecomment-458541778

Received on Tuesday, 29 January 2019 13:36:38 UTC