- From: Anne van Kesteren <notifications@github.com>
- Date: Thu, 16 May 2019 06:48:09 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 16 May 2019 13:48:32 UTC
Thank you (and thank you @MattMenke2 for arguing for the model I also wanted to go with)! Per the "We Still Don’t Have Secure Cross-Domain Requests:an Empirical Study of CORS" paper a 4KiB limit would be quite good, but might still expose the length of large cookies on Tomcat servers given the 8KiB overall limit there. Another thing we might consider is if it should influence https://fetch.spec.whatwg.org/#cors-unsafe-request-header-names somehow. That is, if your referrer is very large, we cap your budget for CORS-safelisted request-header values. This gets quite complex though so probably best avoided. If we don't want to consider the interaction with CORS, I suspect we want to put this login in https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/903#issuecomment-493074710
Received on Thursday, 16 May 2019 13:48:32 UTC