- From: Anne van Kesteren <notifications@github.com>
- Date: Wed, 11 Sep 2019 06:44:06 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 11 September 2019 13:44:28 UTC
We should specify that browsers can include it, probably at the point where they also include the `Host` header and such, such that it is not exposed to service workers, but is to servers, but why should we CORS safelist it? Wouldn't that allow sites to spoof it? cc @mnot -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/934#issuecomment-530386567
Received on Wednesday, 11 September 2019 13:44:28 UTC