- From: Dan Robertson <notifications@github.com>
- Date: Sat, 17 Dec 2022 10:55:52 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Saturday, 17 December 2022 18:56:04 UTC
> @jakearchibald @youennf @rayankans does any of you think this boolean is worth having for CORS? I think I'd rather allow whitespace in CORS for the `Range` header so we can keep `Range` header parsing consistent. In particular this would allow an arbitrary number of 0x09 and 0x20 after `bytes=`. I don't see the security benefit. > > (We also use this parser for `blob:` URL requests and there we already allow whitespace.) I've tested Blink and WebKit and both disallow the whitespace allowed in HTTP-RANGE as tested [here](https://github.com/web-platform-tests/wpt/pull/37569). Would it make sense to remove the boolean, but add a note that some implementations don't allow this optional whitespace? -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1564#issuecomment-1356385155 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1564/c1356385155@github.com>
Received on Saturday, 17 December 2022 18:56:04 UTC