Re: [whatwg/fetch] Add `range` to CORS-safelisted request-headers (#1310) from Anson Chen on 2024-08-16 (public-webapps-github@w3.org from August 2024)

From: Anson Chen <notifications@github.com>
Date: Fri, 16 Aug 2024 05:02:46 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1310/2293381855@github.com>

Thanks @annevk ! So, CORS-safelisted request headers just mean that these headers don't need a preflight request?

In the MDN Web Docs, there's this description:
> mode: no-cors
> 
> The request must be a [simple request](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#simple_requests), which restricts the headers that may be set to [CORS-safelisted request headers](https://developer.mozilla.org/en-US/docs/Glossary/CORS-safelisted_request_header), and restricts methods to GET, HEAD, and POST.

It seems like this description misled me.

Even though there's no specification allowing this, it's still a bit strange.

If a request that doesn't require preflight is a simple request, and mode: no-cors requires the request to be a simple request, then by that logic, Range should be usable in no-cors requests, right?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1310#issuecomment-2293381855
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1310/2293381855@github.com>

Received on Friday, 16 August 2024 12:02:50 UTC