Re: [whatwg/fetch] Safelist request headers starting with `Sec-` (#880) from Takashi Toyoshima on 2019-03-18 (public-webapps-github@w3.org from March 2019)

From: Takashi Toyoshima <notifications@github.com>
Date: Mon, 18 Mar 2019 07:57:16 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/880/c473945136@github.com>

Yoav,
Sec- prefix is already in the Fetch spec; https://fetch.spec.whatwg.org/#forbidden-header-name .
See my comments in the previous thread. Sec- prefix should not be in the safelist, but in the forbidden header name list. Header names in the latter list are not permitted for JavaScript to set from XHR or Fetch API, but only user-agents can set. So since the name is 'forbidden', in terms of CORS request, it's allowed for user-agents to use and it does not trigger a CORS preflight.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/880#issuecomment-473945136

Received on Monday, 18 March 2019 14:57:37 UTC