- From: Yoav Weiss <notifications@github.com>
- Date: Mon, 18 Mar 2019 15:09:50 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 18 March 2019 15:10:18 UTC
> See my comments in the previous thread Any pointers to that thread? > Sec- prefix should not be in the safelist, but in the forbidden header name list. IIUC, it should be in both. I agree only user agents should be able to set it (hence it should be in the forbidden list), but then, when a user agent invokes e.g. [main fetch](https://fetch.spec.whatwg.org/#concept-main-fetch), in step 5, it needs to verify that the [CORS unsafe request header names](https://fetch.spec.whatwg.org/#cors-unsafe-request-header-names) list is empty. That, in turn, triggers the [CORS safelisted request header](https://fetch.spec.whatwg.org/#cors-safelisted-request-header) algorithm on all header fields, checking if they are safe-listed. Not including `Sec-` in that last check would mean preflights would trigger when on those requests. Since we want to avoid those preflights, I think `sec-` checks should be in both the safelist and the forbidden list. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/880#issuecomment-473950680
Received on Monday, 18 March 2019 15:10:18 UTC