Re: [w3c/ServiceWorker] CORS preflight for static import in a module service worker (#1574)

1. Do we still need this header now that we have `Sec-Fetch-Dest: serviceworker`? Or do these get `Sec-Fetch-Dest: script` as they are dependencies?
2. I think technically this is allowed by Fetch as Service Workers does not set request's unsafe-request flag, but that flag is kinda bad and doesn't really make sense from the same-origin policy perspective.
3. I've tried to get a similar issue resolved for `EventSource` without much luck (though see 4): https://github.com/whatwg/fetch/issues/568.
4. Adding it to the safelist would allow developers to use other values for this header, I'm not sure that's what we want. And even if we did want it, we'd probably want to restrict the value space somewhat, similar to what we do for other safelisted headers. It would have been good if this header had used the `Sec-` prefix as we generally do for new cross-origin request headers.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1574#issuecomment-801123963

Received on Wednesday, 17 March 2021 14:26:12 UTC