- From: Johann Hofmann <notifications@github.com>
- Date: Fri, 04 Apr 2025 12:23:30 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1818/c2779567376@github.com>
johannhof left a comment (whatwg/fetch#1818) I agree with Anne's point about sending new headers across origins being an SOP issue and I like that this formulates a clear objective rule to follow here. I think it also makes it more clear to me what made me uneasy about this PR - it tries to impose a subjective decision upon browser developers to take their best guess on whether or not their header could be security relevant - with a bias towards not adding the `Sec-` prefix, i.e. the less secure path, which seems like the inverse of how these kinds of security-related decisions should be made. @martinthomson it would be good if you could clearly formulate your reasons for wanting to stop people from "cargo-culting" on `Sec-`. Is it about the extra bytes? If that is a concern, we should have a fundamental and data-informed discussion about the impact of larger header names and how we could define clear rules to keep them smaller, such as deprecating `Sec-` in favor of adding new headers to the [forbidden request header list](https://fetch.spec.whatwg.org/#forbidden-request-header). As I pointed out, I believe there is real value in having a separate header namespace reserved for user agents, but I'm not married to that idea if there is value in abandoning it. From a security standpoint, there should be clear rules though, and I support the threat model that Anne puts forward here. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1818#issuecomment-2779567376 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1818/c2779567376@github.com>
Received on Friday, 4 April 2025 19:23:34 UTC