- From: Mark Nottingham <notifications@github.com>
- Date: Tue, 01 Apr 2025 07:30:57 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 1 April 2025 14:31:02 UTC
mnot created an issue (whatwg/fetch#1819) ### What is the issue with the Fetch Standard? [RFC 9421](https://httpwg.org/specs/rfc9421.html) defines the `Signature` header field. One of its use cases is signing requests, effectively acting as a credential. Because Fetch [automatically follows redirects](https://fetch.spec.whatwg.org/#http-redirect-fetch) and copies headers from the original request into the redirect request, this means that a signature will be sent cross-origin, exposing its contents to a third party server. One use case we have for this is authenticating bots (like web crawlers) to sites. If a site can be configured to redirect to another one, this would allow the third party site to impersonate the bot to the original target site. Adding `Signature` to `CORS non-wildcard request-header name` would mitigate this. /cc @jricher -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1819 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/issues/1819@github.com>
Received on Tuesday, 1 April 2025 14:31:02 UTC