- From: Anne van Kesteren <notifications@github.com>
- Date: Mon, 27 Sep 2021 05:52:21 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 27 September 2021 12:52:34 UTC
The problem with allowing more headers is that we get closer to server limits which in turn might result in certain security issues. See the recent discussion in https://github.com/w3c/webappsec-cspee/issues/22. We still have room in that the total header value cap for CORS is a 1024, but in practice only 128 is allowed for each of the four headers, but it does make me nervous. The other question of course is whether 128 is sufficient for `Range`, but from what I've seen I think it is. (Fast forward two decades and folks will make fun of this comment, I'm sure.) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1310#issuecomment-927842498
Received on Monday, 27 September 2021 12:52:34 UTC