Re: [whatwg/fetch] Return a `content-encoding` header for resource timing and more (PR #1796) from Noam Rosenthal on 2025-03-07 (public-webapps-github@w3.org from March 2025)

From: Noam Rosenthal <notifications@github.com>
Date: Fri, 07 Mar 2025 00:48:26 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1796/c2705868336@github.com>

noamr left a comment (whatwg/fetch#1796)

> > I think it should be specified here as that matches how we do MIME types and that reduces the chances of someone inadvertently exposing the information. In other words: the guarantee should come from Fetch, not from the caller.
> 
> The "raw" contentEncoding value can be arbitrary proprietary compression the app uses, and it's leaked as a response header.
> So it's indeed a new communication channel that's created :(.
> 
> Meanwhile I think moving the filtering here guarantees that the only place where the raw `contentEncoding` is leaked is the fetch response header. I would say something here that contentEncoding is filtered when accessed anywhere else.
> 
> If there is any concern pls let me know. Thanks.
>  

Specifically, it needs to be explicitly filtered when assigned to the response body into struct.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1796#issuecomment-2705868336
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1796/c2705868336@github.com>

Received on Friday, 7 March 2025 08:48:30 UTC