- From: arturjanc <notifications@github.com>
- Date: Wed, 21 Jul 2021 23:51:54 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 22 July 2021 06:52:07 UTC
> For the baggage header, the user-agent will not do anything other than send the header. This on its own is concerning security-wise and should be covered in the spec and explainer. For example, what happens on cross-origin requests (e.g. those made in `no-cors` mode): would the baggage header be included? How should cross-origin redirects be handled? I think a conceptually simple way to address this could be to guarantee that the baggage header can only be attached on requests that are same-origin to the response that included the baggage information. The spec already mentions that baggage data "does not leak beyond defined trust boundaries" but my guess is that the folks working on this need to put a little more thought into how this would work on the web. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/650#issuecomment-884692993
Received on Thursday, 22 July 2021 06:52:07 UTC