Re: [whatwg/fetch] Add usage advice for Sec- (PR #1818) from Domenic Denicola on 2025-03-31 (public-webapps-github@w3.org from March 2025)

From: Domenic Denicola <notifications@github.com>
Date: Sun, 30 Mar 2025 23:52:40 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1818/c2765292072@github.com>

domenic left a comment (whatwg/fetch#1818)

I am interested in your example

> The `[Sec-Purpose](https://whatpr.org/fetch/1818.html#http-sec-purpose)` field tells a server that a [request](https://whatpr.org/fetch/1818.html#concept-request) is speculative. A server might choose to avoid triggering side-effects while processing such a request, such as suppressing the recording of page view metrics. Making this a [forbidden request-header](https://whatpr.org/fetch/1818.html#forbidden-request-header) has no security-relevant purpose and the `Sec-` prefix is therefore unnecessary.

(To double-check, this is not an example of the advice directly above it about CORS preflights, right? It's just coincidentally right after that, as something else you don't agree with.)

I think this falls into a general category where servers are better served by getting accurate information about the purpose of a request, but indeed getting inaccurate information isn't a security problem. (At least, not a security problem more serious than a DOS.)

In such cases, I've advised spec writers that using `Sec-` is a reasonable default. That is, if there's no compelling use case for letting `fetch()` fake a fetch-involving web platform feature, and servers benefit from mostly getting accurate information about such fetches, then we should default to using `Sec-` to help servers out.

A recent example is our design of [`Sec-Speculation-Tags`](https://github.com/WICG/nav-speculation/blob/main/speculation-rules-tags.md), where we say

> We've proposed using the Sec- prefix since we do not believe there are use cases for allowing web developers to manipulate these headers from JavaScript via a service worker, or set them with fetch() calls. Allowing such manipulation would not necessarily break anything, but it is probably simpler for web developers if they can always trust that a Sec-Speculation-Tags header comes from an actual speculation rules-initiated request.

There's also somewhat of a self-reinforcing argument here, because it could be confusing for servers to receive a request with `Speculation-Tags` but not `Sec-Purpose`. That is, since `Sec-Purpose` uses `Sec-`, even if we believe that was not necessary, it's probably better to have other features that build on `Sec-Purpose` also use `Sec-`.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1818#issuecomment-2765292072
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1818/c2765292072@github.com>

Received on Monday, 31 March 2025 06:52:44 UTC