Re: [whatwg/fetch] CORS Content-Type "bypass" 2 (#838)

Yeah, that seems by far the most straightforward. I suppose the alternative would be something like this:

In https://fetch.spec.whatwg.org/#cors-safelisted-request-header under `content-type`, replace step 2-4 with:

1. Let _splitValues_ be the result of getting, decoding, and splitting `Content-Type` from « _header_ ». (This syntax is somewhat confusing maybe, but turns _header_ back into a header list, which "getting, decoding, and splitting" needs. An alternative might be to make "decode and split" its own algorithm separate from getting.)
2. If _splitValues_ is null, then return failure.
3. For each _splitValue_ of _splitValues_:
   1. Let _mimeType_ be the result of parsing _splitValue_.
   2. If _mimeType_ is failure, then return false.
   3. If mimeType’s essence is not "application/x-www-form-urlencoded", "multipart/form-data", or "text/plain", then return false.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/838#issuecomment-925735636

Received on Thursday, 23 September 2021 11:46:01 UTC