- From: Mike West <notifications@github.com>
- Date: Mon, 31 Mar 2025 23:19:00 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1818/review/2731172299@github.com>
@mikewest commented on this pull request. > +<p id=sec-connection class=example>A [:Connection:] <a>header</a> with a value of +`<code>close</code>` causes the server to close a connection after producing a +<a for=/>response</a>. This is not a capability that <a>fetch</a> is intended to enable, making this +a natural choice for a <a>forbidden request-header</a>. + +<p id=sec-ws-key class=example>The [:Sec-WebSocket-Key:] <a>header</a> is used on a +`<code>GET</code>` <a for=/>request</a> made during the WebSocket handshake. Using the +`<code>Sec-</code>` prefix for [:Sec-WebSocket-Key:] ensures that a server that does not check other +<a for=/>headers</a> (such as [:Upgrade:]) cannot be duped into +believing that a <a>fetch</a> is a WebSocket connection attempt. + +<p>Routine security checks can be aided as a result of having more accurate information, even if +there are cases where information might be spoofed by a malicious client. + +<p id=why-sec-fetch-dest-is-sec class=example>The [:Sec-Fetch-Dest:] <a>header</a> might be used in +<a for=/>requests</a> both without <a for=/>credentials</a>. The decisions that a server makes using Nit: "both without" seems like a typo? ```suggestion <a for=/>requests</a> both with or without <a for=/>credentials</a>. The decisions that a server makes using ``` > @@ -9062,6 +9070,88 @@ done only by navigations). The <a>fetch controller</a> is also used to <a for=request>redirect mode</a> set to "<code>manual</code>". +<h3 id=sec-advice>Defining fields with a `<code>Sec-</code>` prefix</h3> + +<p>Fetch defines a set of <a>forbidden request-headers</a> and the `<code>Sec-</code>` prefix for +<a for=/>headers</a> that are intended to be exclusively generated by the user agent. Callers of +<a>fetch</a> cannot set these values when making requests. + +<p>This prohibition provides servers some assurance that a <em>browser</em> produced these +<a for=/>headers</a>. However, this assurance is limited to request that could only have been +generated by an honest user agent. Other types of application–including malicious browsers–can +provide any value for any <a>header</a>. + +<p>The use of <a>forbidden request-headers</a> are most useful where servers need to make security Nit: I'd suggest either the following, or replacing "are" with "is" (and "useful" with "helpful"?): ```suggestion <p><a>Forbidden request-headers</a> are most useful where servers need to make security ``` -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1818#pullrequestreview-2731172299 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1818/review/2731172299@github.com>
Received on Tuesday, 1 April 2025 06:19:04 UTC