- From: Anne van Kesteren <notifications@github.com>
- Date: Tue, 11 Feb 2020 05:19:54 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 11 February 2020 13:19:56 UTC
annevk commented on this pull request.
As Yoav once discovered, this does not work. As https://fetch.spec.whatwg.org/#cors-unsafe-request-header-names is currently invoked, setting `Sec-` headers before the network layer forces a preflight. We'd have to add an exception there (or its caller).
I think there is agreement that adding an exception is fine, provided the `Sec-` headers have reasonable restrictions on length and attacker-controlled data. (Perhaps we ought to document that in the process of enshrining this exception.)
> @@ -3335,6 +3340,9 @@ optionally with a <i>recursive flag</i>, run these steps:
<li><p><a href=https://w3c.github.io/webappsec-upgrade-insecure-requests/#upgrade-request>Upgrade <var>request</var> to a potentially secure URL, if appropriate</a>.
[[!UPGRADE]]
+ <li><p><a abstract-op lt="set the Fetch metadata headers for a request">Set the Fetch metadata headers for <var>request</var></a>.
Which is this an abstract-op? I thought those were only for JavaScript.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/993#pullrequestreview-356644531
Received on Tuesday, 11 February 2020 13:19:56 UTC