- From: Ari Chivukula <notifications@github.com>
- Date: Thu, 02 Jun 2022 08:21:48 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 2 June 2022 15:22:00 UTC
@arichiv commented on this pull request. > @@ -2864,6 +2914,33 @@ run these steps: <li><p>Return <b>allowed</b>. </ol> +<h3 dfn export lt="header size is over cors limit" id=header-size-is-over-cors-limit> +Header size is over CORS limit</h3> + +Note: The goal of this algorithm is to prevent cross-origin requests from probing the size of sensitive <a for=/>header</a>s +(`<a http-header><code>Authorization</code></a>` or `<a http-header><code>Cookie</code></a>`) by adding <a for=/>header</a>s +to cross-site requests until the total size of all HTTP request <a for=/>header</a>s exceeds the server side limit. If this +algorithm returns true, the <a>CORS-preflight request</a> must be run. In order for this approach to succeed, servers should +not set a HTTP request <a for=/>header</a>s size limit below 8KB. + +<p>Run these steps on the provided <var>request</var>: I thought I was defining it here with the header above the note that calling it below in the CORS Preflight section, am I missing something? -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1434#discussion_r888076395 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1434/review/993721955@github.com>
Received on Thursday, 2 June 2022 15:22:00 UTC