- From: Ruben Verborgh <notifications@github.com>
- Date: Fri, 08 Mar 2019 08:58:19 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 8 March 2019 16:58:40 UTC
> But, if that change was justified, similar future issues would be a problem for your proposal too. My proposal/request is _exactly_ to be immune from such issues. Probably some security bug exists where long headers cause problem X or Y (@annevk couldn't publicly comment); hence the change. I'm describing a mechanism where the server says: you know what, if X or Y indeed are problems, then nothing additional is compromised compared to doing the same attack from the command line or a native app. Hence, I don't rely on the browser security mechanism. (This is very different from cases where, let's say, an API does cookie-based authentication, in which browser-based requests would have a privilege over other means.) > You're describing an opt-in. Given that any mechanism could be characterized as opt-in (e.g., when I'm Accepting text/json, I'm opting in to JSON), I'll need better definitions to meaningfully address your concern with an opt-in. I do not share the view that opt-ins will necessarily need adjustments, if a server knows exactly what it is opting in or out of, and if that is broad enough to cover the above cases. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/878#issuecomment-470999625
Received on Friday, 8 March 2019 16:58:40 UTC