- From: Espen Hovlandsdal <notifications@github.com>
- Date: Fri, 21 Mar 2025 00:18:25 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 21 March 2025 07:18:29 UTC
rexxars left a comment (whatwg/fetch#1788) One thing I realized while implementing this in browsers; The EventSource spec says to set `Cache-Control` to `no-cache`. Since this is not a safelisted CORS header and you change the preflight policy to "consider", it leads to browsers performing a preflight request with `access-control-request-headers: cache-control`. If they later get an unsafe `last-event-id`, another preflight is done, this time with `access-control-request-headers: cache-control, last-event-id`. This is probably not what we want - we should treat `cache-control` (from EventSource) as "safe". In the Gecko codebase this was fairly easy to implement since you manually have to tell it which headers to consider. In WebKit and Chromium however, you only set the preflight policy to `consider` and the network layer takes care of the rest. This is tidier from a code perspective, but makes this change harder. I am not quite sure how to best go about making this change - maybe there needs to be a way to set headers that are "safe", CORS-wise, on a request? 🤔 -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1788#issuecomment-2742546936 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1788/c2742546936@github.com>
Received on Friday, 21 March 2025 07:18:29 UTC