- From: Simon Pieters <notifications@github.com>
- Date: Wed, 02 Apr 2025 02:38:05 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1818/review/2735657469@github.com>
@zcorpan commented on this pull request. > +<p class=note>There are a number of <a for=/>headers</a> that use the `<code>Sec-</code>` prefix for +legacy reasons. Consistency with these existing <a for=/>headers</a> is not a reason to use the +`<code>Sec-</code>` prefix for new <a for=/>headers</a>. + +<p id=sec-ch-no-sec class=example><a href=https://datatracker.ietf.org/doc/html/rfc8942>Client +hints</a> give a server the ability to adapt content. Making these <a>forbidden request-headers</a> +denies fetch callers the ability to access this adaptation capability unnecessarily. + +<p>The `<code>Sec-</code>` prefix has no purpose for <a for=/>headers</a> that are exclusively used +for <a for=/>responses</a>. Only consider the application of the `<code>Sec-</code>` prefix <a +for=/>headers</a> that are used in <a for=/>requests</a>. + +<p id=ws-sec-prefix class=example>The [:Sec-WebSocket-Accept:] <a>header</a> is a +<a for=/>response</a> <a>header</a> that is exclusively used for the +<a href=https://datatracker.ietf.org/doc/html/rfc6455#section-4>WebSocket handshake</a>. This +<a>header</a>has no need to use the `<code>Sec-</code>` prefix. ```suggestion <a>header</a> has no need to use the `<code>Sec-</code>` prefix. ``` -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1818#pullrequestreview-2735657469 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1818/review/2735657469@github.com>
Received on Wednesday, 2 April 2025 09:38:09 UTC