[whatwg/fetch] Add `Signature` to `CORS non-wildcard request-header name` (Issue #1819)

mnot created an issue (whatwg/fetch#1819)

### What is the issue with the Fetch Standard?

[RFC 9421](https://httpwg.org/specs/rfc9421.html) defines the `Signature` header field. One of its use cases is signing requests, effectively acting as a credential. 

Because Fetch [automatically follows redirects](https://fetch.spec.whatwg.org/#http-redirect-fetch) and copies headers from the original request into the redirect request, this means that a signature will be sent cross-origin, exposing its contents to a third party server.

One use case we have for this is authenticating bots (like web crawlers) to sites. If a site can be configured to redirect to another one, this would allow the third party site to impersonate the bot to the original target site.

Adding `Signature` to `CORS non-wildcard request-header name` would mitigate this.

/cc @jricher

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1819
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1819@github.com>

Received on Tuesday, 1 April 2025 14:31:02 UTC