Re: [whatwg/fetch] Prevent cross-origin sensitive header probing (PR #1434) from David Benjamin on 2022-10-05 (public-webapps-github@w3.org from October 2022)

From: David Benjamin <notifications@github.com>
Date: Wed, 05 Oct 2022 08:58:40 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1434/c1268626398@github.com>

Is the proposal to make CORS depend on Cookie and Authorization header? Did you have an implementation in mind? I also don't see how that could work in, say, Chromium. Authorization headers are especially fun because HTTP auth can cause a single high-level request to actually contact the server multiple times. (Some auth methods may require several requests.) And then the HTTP stack might itself add others headers like If-None-Match for caching, etc. Caching, for that matter, can also require multiple requests in some cases.

I suspect limits for headers applied deep in HTTP would need to be applied separately, and you wouldn't be able to use preflights as an escape hatch. I think they'd have to be hard limits. And then the value servers need to set would be the sum of every layer's limits.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1434#issuecomment-1268626398
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1434/c1268626398@github.com>

Received on Wednesday, 5 October 2022 15:58:52 UTC