- From: Noam Rosenthal <notifications@github.com>
- Date: Wed, 04 Jun 2025 13:50:06 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 4 June 2025 20:50:10 UTC
noamr left a comment (w3ctag/design-reviews#1064) > Is there any reason not to include the value of the header? Why is this being mutated this way? Is the concern that this could encode a cookie or something like that? Isn't that something that you can do with the URL anyway? > > (This is a list of tokens, so it should probably be a JSON array of strings.) Yea, it's a policy for not introducing side-channels of arbitrary information that cross-origin resources can use to communicate to script. In this case, a cross-origin resource without script access (e.g. due to CSP) can write arbitrary information into `Content-Encoding`, and a different cross-origin resource with script access can read it. How would you do this with a URL? -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/1064#issuecomment-2941416508 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/1064/2941416508@github.com>
Received on Wednesday, 4 June 2025 20:50:10 UTC