Re: [whatwg/fetch] Accept 'sec-'-prefixed headers as CORS-safelisted. (#1000) from Mike West on 2020-02-14 (public-webapps-github@w3.org from February 2020)

From: Mike West <notifications@github.com>
Date: Fri, 14 Feb 2020 05:31:36 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1000/review/358940330@github.com>

mikewest commented on this pull request.



> @@ -760,7 +764,12 @@ fetch("https://victim.example/naïve-endpoint", {
     </div>
 
    <dt>Otherwise
-   <dd><p>Return false.
+   <dd>
+    <p>If <var>name</var> does not begin with the string "<code>sec-</code>", return false.
+
+    <p class=note>As all headers beginning with "<code>Sec-</code>" are <a>forbidden header

Thank you. :) I was searching for variants of "begin" and "prefix" without luck!

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1000#discussion_r379430327

Received on Friday, 14 February 2020 13:31:48 UTC