- From: Mark Nottingham <notifications@github.com>
- Date: Wed, 11 Mar 2020 20:13:19 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/1006@github.com>
Whitelisting request headers creates a perverse incentive for applications to use query strings rather than request headers for cross-site requests, to avoid preflights. For example, there's an emerging specification (no public link, sorry) for media players to send hints to the origin. They define a request header, but because of CORS, also define a query parameter to convey this information in. This doesn't seem like a good way to go; not only is the query string _not_ intended for colonisation by standards documents, it's also going to make caching and other generic functions more difficult to interpose, and less efficient. Linking can become problematic too. It also seems like Client Hints are going to make this worse, as they get defined. While browser-defined hints will get included in the whitelist naturally, anything defined by other parties (whether it's the site in question, a common service, or something like video clients using fetch) are going to suffer. The problem is the artificial pressure that CORS places on people who want to send such information to the server; it discourages using headers and encourages using query strings (or other parts of the URL). Possible solutions (in rough preference order): 1. Turn the whitelist into a blacklist. AIUI the threat model that the whitelist is trying to mitigate is headers that the server may rely upon for security-critical processing; especially, `Content-Type`. Could we re-evaluate whether the whitelist is the most appropriate way to do this? 2. Make it easy to submit additions to the whitelist, and publicly commit to a SLA on processing them (or at least an intention to expedite them). In the example above, we could ask the folks defining the emerging spec to do that to make using the header more viable. 3. Define a prefix for CORS-whitelisted request headers that opts them out of the whitelist -- the idea being that the prefix will effectively block any existing header in use, so any header that uses it will be processed with the knowledge that it's exposed to cross-site client code (sort of like a reverse of `Sec-`). /cc @igrigorik @yoavweiss @annevk -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1006
Received on Thursday, 12 March 2020 03:13:32 UTC