[whatwg/fetch] Document the problem with cross-origin headers (#1186)

At various times it's suggested that `Sec-*` or other new headers should be able to bypass the CORS preflight requirement. The problem with this is that servers have limits on the total number of bytes used by headers and the closer browser- and attacker-controlled headers get to this limit the easier it would be to steal infer confidential information, such as cookies. (This is perhaps mitigated somewhat by partitioning, but the scopes are not the same, and partitioning for cookies is fiddly.)

#1000 contained some prior discussion on this. https://github.com/WICG/ua-client-hints/issues/155 also raises this.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1186

Received on Thursday, 4 March 2021 08:11:28 UTC