[whatwg/fetch] Add `Signature` to `CORS non-wildcard request-header name` (Issue #1819) from Mark Nottingham on 2025-04-01 (public-webapps-github@w3.org from April 2025)

From: Mark Nottingham <notifications@github.com>
Date: Tue, 01 Apr 2025 07:30:57 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1819@github.com>

mnot created an issue (whatwg/fetch#1819)

### What is the issue with the Fetch Standard?

[RFC 9421](https://httpwg.org/specs/rfc9421.html) defines the `Signature` header field. One of its use cases is signing requests, effectively acting as a credential. 

Because Fetch [automatically follows redirects](https://fetch.spec.whatwg.org/#http-redirect-fetch) and copies headers from the original request into the redirect request, this means that a signature will be sent cross-origin, exposing its contents to a third party server.

One use case we have for this is authenticating bots (like web crawlers) to sites. If a site can be configured to redirect to another one, this would allow the third party site to impersonate the bot to the original target site.

Adding `Signature` to `CORS non-wildcard request-header name` would mitigate this.

/cc @jricher

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1819
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1819@github.com>

Received on Tuesday, 1 April 2025 14:31:02 UTC