- From: Erik Anderson <notifications@github.com>
- Date: Thu, 12 Sep 2019 17:30:29 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 13 September 2019 00:30:51 UTC
That's reasonable and is actually a closer match to what we have historically vs. what I described (sorry!). IE and Edge have been appending this below the Fetch stack and where CORS enforcement happens. If a site adds the header themselves via Fetch, we do enforce CORS on it.
There is an admittedly hypothetical use case of a site wanting to have its own determination of child account or not and then use that to make cross-origin requests that include a `Prefer: safe` header value. It's reasonable to say that a server involved in that should explicitly think about that scenario and, given that covers current behavior is what we should probably go with.
I think the proposal at this point is:
1. Update the note in https://fetch.spec.whatwg.org/#http-network-or-cache-fetch, step 16 ("Modify httpRequest's header list per HTTP") which covers Accept-Encoding, Connection, DNT, and Host.
2. Do _not_ add the Prefer header to the forbidden header name list.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/934#issuecomment-531056031
Received on Friday, 13 September 2019 00:30:51 UTC