- From: Martin Thomson <notifications@github.com>
- Date: Fri, 11 Apr 2025 08:50:43 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/1818/review/2760807980@github.com>
@martinthomson commented on this pull request. > + + +<h4 id=sec-not-ok>Reasons not to use a `<code>Sec-</code>` prefix</h4> + +<p>That a <a>header</a> value might be needed to answer a <a>CORS-preflight request</a> is +<em>not</em> a sufficient reason to use a `<code>Sec-</code>` prefix; all <a>CORS-preflight +requests</a> include [:Access-Control-Request-Method:], which is [=forbidden +request-headers|forbidden=]. Any <a for=/>headers</a> that a fetch caller sets will not be set on a +<a>CORS-preflight request</a> made by an honest user agent; instead, these are listed in +[:Access-Control-Request-Headers:]. + +<p id=sec-purpose-no-sec class=example>The [:Sec-Purpose:] field tells a server that a +<a for=/>request</a> is speculative. A server might choose to avoid triggering side-effects while +processing such a request, such as suppressing the recording of page view metrics. Making this a +<a>forbidden request-header</a> has no security-relevant purpose and the `<code>Sec-</code>` prefix +is therefore unnecessary. Yes, I traced the origin of Sec-Purpose to that thread. You do not establish a reason for it being forbidden, but instead assume that to be the case. If there was a risk that a server might be confused by the presence of the field, that would have been obvious. That case was not made, only asserted without evidence. Sending new headers has to be safe in HTTP. We routinely add new headers in the IETF and have not encountered significant problems from having done so. Obviously, there is always a risk of collision, but we have things like the HTTP archive to aid in identifying potential conflicts. The point about preflight is only relevant if there is a) a conflict, b) a security-relevant decision being made that relies on the values being correct, and c) a resource that has harmful side effects on requests that are not already subject to preflight. That's a pretty tight set of conditions. I can make a clear case for Sec-Fetch-Dest as it pertains to JSONP (perhaps) and maybe some forms of script inclusion.. That clearly justifies the use of a prefix. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1818#discussion_r2039833230 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1818/review/2760807980@github.com>
Received on Friday, 11 April 2025 15:50:47 UTC