- From: Daniel Dyla <notifications@github.com>
- Date: Tue, 12 Jan 2021 11:44:06 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 12 January 2021 19:44:19 UTC
Hello, member of the W3C working group which developed the Trace Context spec here. Maybe I can provide some context. 1. The spec may indeed be eventually implemented by browsers, but I think it is unlikely in its current form. 2. The safelist need not include both headers. While we believe `tracestate` and `traceparent` are both valuable, it is possible to use `traceparent` without `tracestate` header. The `traceparent` header is a very restrictive format which would be significantly more difficult to abuse. 3. The primary concern is that the Trace Context specification is meant to be included on _all_ outgoing requests, whether the client controls the server or not. This means that requests that would ordinarily not have triggered a preflight request now will. This can cause requests to fail which would not have otherwise failed. There is no way to know in advance which requests these are. If the `traceparent` is not included on all outgoing requests the primary benefit of the header is lost. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/911#issuecomment-758892039
Received on Tuesday, 12 January 2021 19:44:19 UTC