- From: Yutaka Hirano <notifications@github.com>
- Date: Mon, 17 Aug 2020 22:27:01 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 18 August 2020 05:27:14 UTC
In https://fetch.spec.whatwg.org/#dom-request, we set request's headers guard to "request" if _init_ is empty, even when created from a no-cors request. This allows web developers to modify headers that are not CORS-safelisted. This seems like a spec bug. See also: #560 @youennf @annevk @jakearchibald -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1074
Received on Tuesday, 18 August 2020 05:27:14 UTC