- From: Espen Hovlandsdal <notifications@github.com>
- Date: Tue, 19 Nov 2024 12:14:42 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 19 November 2024 20:14:46 UTC
In https://github.com/whatwg/html/issues/689 the discussion seemed to land on allowing UTF-8 bytes except for 0x00, 0x0A, and 0x0D. This issue is about safelisting the header for cross-origin requests, but applying restrictions to it _beyond_ what was discussed in https://github.com/whatwg/html/issues/689. In essence, a "safe" `last-event-id` header value going cross-origin needs to:
- Have less than 128 characters
- Not include any [CORS-unsafe request header bytes](https://fetch.spec.whatwg.org/#cors-unsafe-request-header-byte)
Questions:
1. Are we intending to change the HTML EventSource specification to have the same restrictions as the safelisted header rules? Or will same-origin EventSources have less restrictions?
2. What is the intended behavior when an EventSource server responds with an ID that does not conform to the safelisted header restrictions?
**A.** Ignore the value?
**B.** Dispatch an error and close?
**C.** Use the value if same-origin but fail the request if cross-origin?
--
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/568#issuecomment-2486659968
You are receiving this because you are subscribed to this thread.
Message ID: <whatwg/fetch/issues/568/2486659968@github.com>
Received on Tuesday, 19 November 2024 20:14:46 UTC