- From: Anne van Kesteren <notifications@github.com>
- Date: Tue, 03 Jan 2023 00:02:44 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1584/review/1234187185@github.com>
@annevk commented on this pull request. Thanks, looks good modulo nit. I guess you might have to rebase to avoid the implementation-defined issue. > + <p class="note">We can safely use filtered response here as the opt-in to protect + `<code>Server-Timing</code>` responses is `<code>Timing-Allow-Origin</code>`. ```suggestion <p class=note>Using _response_'s <a for="filtered response">internal response</a> is safe as exposing `<code>Server-Timing</code>` header data is guarded through the `<code>Timing-Allow-Origin</code>` header. ``` > @@ -4621,7 +4621,11 @@ steps: <a for="fetch params">request</a>'s <a for=request>client</a> is a <a>secure context</a>, then set <var>timingInfo</var>'s <a for="fetch timing info">server-timing headers</a> to the result of <a for="header list">getting, decoding, and splitting</a> `<code>Server-Timing</code>` - from <var>response</var>'s <a for=response>header list</a>. + from <var>response</var>'s <a for="filtered response">internal response</a>'s + <a for=response>header list</a>. We're sure _response_ is always a filtered response at this point, right? -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1584#pullrequestreview-1234187185 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1584/review/1234187185@github.com>
Received on Tuesday, 3 January 2023 08:02:56 UTC