- From: slaneyrw <notifications@github.com>
- Date: Sun, 27 Jun 2021 20:24:08 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 28 June 2021 03:24:21 UTC
> > Basically, the value of a Location header can about as sensitive as an HttpOnly cookie > > Hi @annevk Could you explain more about why Location header is so sensitive ? > > In case of 302, the Location header contains the value of the **temporary** redirection, right ? So I guess its value is not that security-critical. Especially if it's same origin, absolutely not a security hole. But there are implementations in the wild so if the spec was changed to allow opt-in ( or even just change the default implementation ) we still cannot rely on the behaviour and there is no workaround. I'm afraid that this spec is basically worthless. It's been over 4 years and this is still not "fixed"... the world has moved on and we work around the problem by sending make other response status codes that do not have this arbitrary limitation. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/601#issuecomment-869321700
Received on Monday, 28 June 2021 03:24:21 UTC