Re: [whatwg/fetch] Accept 'sec-'-prefixed headers as CORS-safelisted. (#1000)

annevk commented on this pull request.



> @@ -760,7 +764,12 @@ fetch("https://victim.example/naïve-endpoint", {
     </div>
 
    <dt>Otherwise
-   <dd><p>Return false.
+   <dd>
+    <p>If <var>name</var> does not begin with the string "<code>sec-</code>", return false.
+
+    <p class=note>As all headers beginning with "<code>Sec-</code>" are <a>forbidden header
+    names</a>, we have some confidence that they're generated by the user agent, and not via APIs
+    that developers directly control.

I think for Fetch-Metadata all is in order because they are set as part of main fetch.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1000#discussion_r379452152

Received on Friday, 14 February 2020 14:16:51 UTC