- From: Anne van Kesteren <notifications@github.com>
- Date: Fri, 02 May 2025 02:48:18 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 2 May 2025 09:48:22 UTC
annevk left a comment (whatwg/fetch#1818) > But for new fields defined so long after CORS became ubiquitous, it's silly to insist that a server might act on it in a way that can be exploited. Why would this be silly? Isn't it exactly because of the same-origin policy (as augmented by CORS) that servers can rely on not getting headers they don't expect from other origins? And thus can use arbitrary headers (of which we have no knowledge) for their own purpose? -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1818#issuecomment-2846817947 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1818/c2846817947@github.com>
Received on Friday, 2 May 2025 09:48:22 UTC