- From: Martin Thomson <notifications@github.com>
- Date: Mon, 31 Mar 2025 20:33:01 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1818/c2768000892@github.com>
martinthomson left a comment (whatwg/fetch#1818) I don't know what you mean by reserved here. If you mean reserved for this purpose (and not some other purpose), that is why we have IANA registries. The storage access headers appear to be [registered](https://www.iana.org/assignments/http-fields/http-fields.xhtml), so that's probably not it... (That's not true for a few other headers that others have started to use. Including `Sec-Fetch-*`, which is not great...calling @mikewest.) Reserving a header for the exclusive use of a user agent is somewhat appealing as a user agent developer. You say "mine" and that's the end of the story. No further thought. But adopting that position as a default denies sites the option to use the header. That's probably OK for `Sec-WebSocket-Key`, which is really only for browsers to use anyway. `Sec-CH-*` doesn't meet that bar, `Sec-Purpose` doesn't, and nor does the `Sec-Fetch-Storage-Access` (which is a really, really long header name to be sending on EVERY request, by the way). If a site believes that it has storage access and it doesn't or vice versa, then it might not work properly, but that's on the fool that sets the header to the wrong value. There's no security-relevant decision riding on it being correct; those decisions are made based on the content of cookies. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1818#issuecomment-2768000892 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1818/c2768000892@github.com>
Received on Tuesday, 1 April 2025 03:33:05 UTC