[whatwg/fetch] Add `Prefer: safe` HTTP header (Issue #1891) from bvandersloot-mozilla on 2025-12-01 (public-webapps-github@w3.org from December 2025)

From: bvandersloot-mozilla <notifications@github.com>
Date: Mon, 01 Dec 2025 11:21:42 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1891@github.com>

bvandersloot-mozilla created an issue (whatwg/fetch#1891)

### What problem are you trying to solve?

Users may not want to have objectionable content displayed in their browser. Two browsers (Firefox and Edge) consume OS signals for web content restriction and convey this information to websites as the user browses via the `Prefer` HTTP header (RFC 8674). 

### What solutions exist today?

Content labeling, e.g. the `<meta name="rating" content="adult">` as proposed [for HTML](https://github.com/whatwg/html/issues/11722) is one approach for this functionality. 

Currently, governments seem to be turning toward cryptographic proofs of age from digital credentials to make similar use cases work. Even with fancy crypto, there are significant privacy risks

### How would you solve it?

Currently the spec has the following step

20. Modify httpRequest’s [header list](https://fetch.spec.whatwg.org/#concept-request-header-list) per HTTP. Do not [append](https://fetch.spec.whatwg.org/#concept-header-list-append) a given [header](https://fetch.spec.whatwg.org/#concept-header) if httpRequest’s [header list](https://fetch.spec.whatwg.org/#concept-request-header-list) [contains](https://fetch.spec.whatwg.org/#header-list-contains) that [header](https://fetch.spec.whatwg.org/#concept-header)’s [name](https://fetch.spec.whatwg.org/#concept-header-name).

I'd propose appending the following test before that step:

"If the user agent has a signal, either from the user directly or the operating system, that the user prefers that the server not respond with content that is designated as objectionable according to the server's definition of the concept, append (`Prefer`, `safe`) to `httpRequest`'s `header list`</a>.

We would also need to make it clear that these steps are exclusive operations. This is probably the right interpretation since RFC 8674 is informational.

### Anything else?

_No response_

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1891
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1891@github.com>

Received on Monday, 1 December 2025 19:21:46 UTC