Re: [whatwg/fetch] Return a `content-encoding` header for resource timing and more (PR #1796) from Guohui Deng on 2025-03-08 (public-webapps-github@w3.org from March 2025)

From: Guohui Deng <notifications@github.com>
Date: Sat, 08 Mar 2025 15:16:22 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1796/c2708530201@github.com>

guohuideng2024 left a comment (whatwg/fetch#1796)

> > > I think it should be specified here as that matches how we do MIME types and that reduces the chances of someone inadvertently exposing the information. In other words: the guarantee should come from Fetch, not from the caller.
> > 
> > 
> > The "raw" contentEncoding value can be arbitrary proprietary compression the app uses, and it's leaked as a response header.
> > So it's indeed a new communication channel that's created :(.
> > Meanwhile I think moving the filtering here guarantees that the only place where the raw `contentEncoding` is leaked is the fetch response header. I would say something here that contentEncoding is filtered when accessed anywhere else.
> > If there is any concern pls let me know. Thanks.
> 
> Specifically, it needs to be explicitly filtered when assigned to the response body into struct.

Got it, Thanks! I updated the PR accordingly.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1796#issuecomment-2708530201
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1796/c2708530201@github.com>

Received on Saturday, 8 March 2025 23:16:26 UTC