Re: [whatwg/fetch] Return a `content-encoding` header for resource timing and more (PR #1796) from Guohui Deng on 2025-03-06 (public-webapps-github@w3.org from March 2025)

From: Guohui Deng <notifications@github.com>
Date: Thu, 06 Mar 2025 07:49:51 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1796/c2704237066@github.com>

guohuideng2024 left a comment (whatwg/fetch#1796)

> I think it should be specified here as that matches how we do MIME types and that reduces the chances of someone inadvertently exposing the information. In other words: the guarantee should come from Fetch, not from the caller.

The "raw" contentEncoding value can be arbitrary proprietary compression the app uses, and it's leaked as a response header.
So it's indeed a new communication channel that's created :(.

Meanwhile I think moving the filtering here guarantees that the only place where the raw `contentEncoding` is leaked is the fetch response header. I would say something here that contentEncoding is filtered when accessed anywhere else.

If there is any concern pls let me know. Thanks.
 

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1796#issuecomment-2704237066
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1796/c2704237066@github.com>

Received on Thursday, 6 March 2025 15:49:55 UTC