Re: [whatwg/fetch] CORS safelisting trace context header (#911)

If I understand it correctly this is a web application level protocol not intended to be implemented by browsers? (Whether it's implemented by browsers does not matter so much for this issue, but in that case I might have some other feedback.)

We don't extend that algorithm generally as it gives attackers more opportunity to attack unsuspecting servers. The solution to the additional roundtrips might be some variant of https://github.com/WICG/origin-policy/, assuming you hit a single origin multiple times.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/911#issuecomment-504012518

Received on Thursday, 20 June 2019 12:49:13 UTC