- From: Anne van Kesteren <notifications@github.com>
- Date: Fri, 14 Feb 2020 06:16:38 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 14 February 2020 14:16:51 UTC
annevk commented on this pull request. > @@ -760,7 +764,12 @@ fetch("https://victim.example/naïve-endpoint", { </div> <dt>Otherwise - <dd><p>Return false. + <dd> + <p>If <var>name</var> does not begin with the string "<code>sec-</code>", return false. + + <p class=note>As all headers beginning with "<code>Sec-</code>" are <a>forbidden header + names</a>, we have some confidence that they're generated by the user agent, and not via APIs + that developers directly control. I think for Fetch-Metadata all is in order because they are set as part of main fetch. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1000#discussion_r379452152
Received on Friday, 14 February 2020 14:16:51 UTC