- From: Anne van Kesteren <notifications@github.com>
- Date: Fri, 14 Feb 2020 05:06:26 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1000/review/358925128@github.com>
annevk commented on this pull request.
> @@ -760,7 +764,12 @@ fetch("https://victim.example/naïve-endpoint", {
</div>
<dt>Otherwise
- <dd><p>Return false.
+ <dd>
+ <p>If <var>name</var> does not begin with the string "<code>sec-</code>", return false.
+
+ <p class=note>As all headers beginning with "<code>Sec-</code>" are <a>forbidden header
+ names</a>, we have some confidence that they're generated by the user agent, and not via APIs
+ that developers directly control.
The other thing we should point out here is https://github.com/whatwg/fetch/pull/880#issuecomment-473973493. In particular, if Fetch isn't in control of setting these headers, you might be in for a surprise with service workers.
> @@ -760,7 +764,12 @@ fetch("https://victim.example/naïve-endpoint", {
</div>
<dt>Otherwise
- <dd><p>Return false.
+ <dd>
+ <p>If <var>name</var> does not begin with the string "<code>sec-</code>", return false.
```suggestion
<p>If <var>name</var> does not start with `<code>sec-</code>`, then return false.
```
> @@ -760,7 +764,12 @@ fetch("https://victim.example/naïve-endpoint", {
</div>
<dt>Otherwise
- <dd><p>Return false.
+ <dd>
+ <p>If <var>name</var> does not begin with the string "<code>sec-</code>", return false.
+
+ <p class=note>As all headers beginning with "<code>Sec-</code>" are <a>forbidden header
```suggestion
<p class=note>As all headers starting with `<code>Sec-</code>` are <a>forbidden header
```
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1000#pullrequestreview-358925128
Received on Friday, 14 February 2020 13:06:39 UTC