- From: Johann Hofmann <notifications@github.com>
- Date: Fri, 11 Apr 2025 18:16:18 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Saturday, 12 April 2025 01:16:22 UTC
johannhof left a comment (whatwg/fetch#1818) > The threat model I documented is - at least in my view - a clearer one. That is, if a server needs to make a security-relevant decision with confidence that the value of the Sec--prefixed field came from the same place that the credentials did, then it is a good use of a forbidden header. @martinthomson I don't believe that it is possible to objectively and completely define "needs" and "security-relevant" in this sentence. One origin should just not be able to manipulate state that another origin expects to receive from the user agent, like permission state. I think I agree that there are cases where we can decide to make an explicit exception to this principle, maybe DPR is one of those, but that's the way we should approach this question, not the other way around. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1818#issuecomment-2798357053 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1818/c2798357053@github.com>
Received on Saturday, 12 April 2025 01:16:22 UTC