- From: Erik Anderson <notifications@github.com>
- Date: Tue, 10 Sep 2019 13:48:13 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/934@github.com>
Internet Explorer, Microsoft Edge, and Mozilla Firefox all implement the "Prefer: safe" header called out in this blog: https://blog.mozilla.org/netpolicy/2014/07/22/prefersafe-making-online-safety-simpler-in-firefox/ In all of the current implementations, it is only enabled when a child account is in use on Windows. The feature is defined in https://tools.ietf.org/html/draft-nottingham-safe-hint-11 which also references RFC 7240 (Prefer Header for HTTP, https://tools.ietf.org/html/rfc7240). The "Prefer: safe" IETF specification has not progressed to a proposed standard, but given there are multiple browser implementing it, it is potentially worth defining what should happen in the context of Fetch. Since the browser is adding the header independent of a site decision, I believe it makes sense for it to be CORS safelisted. I don't believe we should safelist the Prefer header in general since that's overly broad. Would it make sense to make a similar carve out in the "CORS protocol exceptions" section to state that a `Prefer` header with a value of `safe` should be excluded from CORS preflight checks? This is essentially what IE and Edge are doing today. I'm not sure what Firefox's behavior is. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/934
Received on Tuesday, 10 September 2019 20:48:35 UTC