- From: Takashi Toyoshima <notifications@github.com>
- Date: Mon, 18 Mar 2019 09:12:16 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 18 March 2019 16:12:42 UTC
https://github.com/w3c/resource-hints/issues/74#issuecomment-473806820 This is the thread I meant. Yep, since the user-agents' managed headers are injected later but before making network requests, they won't appear in the header list when we run several algorithms for the fetch and XHR specs, and these headers don't have a chance to set unsafe-request flag or use-CORS-preflight flag. That's my understanding. But, if you need to say something explicitly, can we say that 'if the header name matches the forbidden header names' rather than 'if the header name is Sec-*'? Actually, that's Chrome implementation. https://cs.chromium.org/chromium/src/services/network/cors/cors_url_loader.cc?q=NeedsPreflight https://cs.chromium.org/chromium/src/services/network/public/cpp/cors/cors.cc?q=CorsUnsafeNotForbiddenRequestHeaderNames -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/880#issuecomment-473982322
Received on Monday, 18 March 2019 16:12:42 UTC