Re: [whatwg/fetch] Add usage advice for Sec- (PR #1818)

annevk left a comment (whatwg/fetch#1818)

> But for new fields defined so long after CORS became ubiquitous, it's silly to insist that a server might act on it in a way that can be exploited.

Why would this be silly? Isn't it exactly because of the same-origin policy (as augmented by CORS) that servers can rely on not getting headers they don't expect from other origins? And thus can use arbitrary headers (of which we have no knowledge) for their own purpose?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1818#issuecomment-2846817947
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1818/c2846817947@github.com>

Received on Friday, 2 May 2025 09:48:22 UTC