[whatwg/fetch] CORS-safelisting particular client hints (Issue #1383) from Eric Portis on 2022-01-19 (public-webapps-github@w3.org from January 2022)

From: Eric Portis <notifications@github.com>
Date: Wed, 19 Jan 2022 10:14:59 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1383@github.com>

Now that [there is not a generic safelist carve-out for all `Sec-`-prefixed request headers](https://github.com/whatwg/fetch/pull/1000), we will need to safelist individual client hints as they become part of the platform.

I believe the best list of current hints is in [Client Hints Infrastructure](https://wicg.github.io/client-hints-infrastructure/#find-client-hint-value-section). These are at various stages of consensus/maturity; none of them are currently implemented anywhere besides Chrome. Chrome does not preflight when adding any of them.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1383
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1383@github.com>

Received on Wednesday, 19 January 2022 18:15:11 UTC