Re: [whatwg/fetch] No documentation on how a server must response to a wrong CORS-headers-request. (#1102) from Ross A. Baker on 2021-10-04 (public-webapps-github@w3.org from October 2021)

From: Ross A. Baker <notifications@github.com>
Date: Mon, 04 Oct 2021 09:26:07 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1102/933648420@github.com>

Thanks, @annevk.  So there shouldn't be any security concern with an implementation returning CORS response headers even when one of the `Access-Control-Request-Headers` values is not allowed, or when the `Access-Control-Request-Method` method is not allowed.  It's just a hint to the server that's most helpful in the case of unbounded allowed values.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1102#issuecomment-933648420

Received on Monday, 4 October 2021 16:26:20 UTC