- From: Takashi Toyoshima <notifications@github.com>
- Date: Mon, 18 Mar 2019 07:57:16 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 18 March 2019 14:57:37 UTC
Yoav, Sec- prefix is already in the Fetch spec; https://fetch.spec.whatwg.org/#forbidden-header-name . See my comments in the previous thread. Sec- prefix should not be in the safelist, but in the forbidden header name list. Header names in the latter list are not permitted for JavaScript to set from XHR or Fetch API, but only user-agents can set. So since the name is 'forbidden', in terms of CORS request, it's allowed for user-agents to use and it does not trigger a CORS preflight. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/880#issuecomment-473945136
Received on Monday, 18 March 2019 14:57:37 UTC