Re: [whatwg/fetch] Document the problem with cross-origin headers (#1186) from Jonathan Hao on 2024-01-15 (public-webapps-github@w3.org from January 2024)

From: Jonathan Hao <notifications@github.com>
Date: Mon, 15 Jan 2024 06:45:23 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1186/1892308390@github.com>

Another problem we ran into when trying to implement [Private Network Access](https://github.com/WICG/private-network-access) for navigation requests is that we would need to send preflight requests before navigating to a less-public IP address space.  Navigation requests usually come with a long `Accept` header that would fail the 128 character length limit for safelisted headers.

I couldn't find any straightforward way to get around this other than adjusting the 128 limit to something larger say 256 globally.  Would this make attacking a lot easier?  Only exempting requests to less-public IP address space doesn't look easy as it might be complicated to pass this information down to the algorithms that determine the safelisted-ness.  Is there another way to get around this restriction?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1186#issuecomment-1892308390
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1186/1892308390@github.com>

Received on Monday, 15 January 2024 14:45:29 UTC