Re: [whatwg/fetch] Add HTTP OWS handling to single range header parsing (PR #1564) from Anne van Kesteren on 2022-12-12 (public-webapps-github@w3.org from December 2022)

From: Anne van Kesteren <notifications@github.com>
Date: Mon, 12 Dec 2022 00:41:10 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1564/review/1213079731@github.com>

@annevk commented on this pull request.

@jakearchibald @youennf @rayankans does any of you think this boolean is worth having for CORS? I think I'd rather allow whitespace in CORS for the `Range` header so we can keep `Range` header parsing consistent. In particular this would allow an arbitrary number of 0x09 and 0x20 after `bytes=`. I don't see the security benefit.

(We also use this parser for `blob:` URL requests and there we already allow whitespace.)

> @@ -1243,7 +1243,7 @@ run these steps:
 
 <div algorithm>
 <p>To <dfn id=simple-range-header-value>parse a single range header value</dfn> from a
-<a>byte sequence</a> <var>value</var>, run these steps:
+<a>byte sequence</a> <var>value</var> and a boolean <var>allowWhiteSpace</var>, run these steps:

If we keep this we should name this disallowWhitespace so it can default to false. Although as long as we don't export it we should probably keep it as a required argument.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1564#pullrequestreview-1213079731
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1564/review/1213079731@github.com>

Received on Monday, 12 December 2022 08:41:23 UTC