[whatwg/fetch] Discussion: the term for non-preflighted request ("simple request") (Issue #1824)

elarlang created an issue (whatwg/fetch#1824)

### What is the issue with the Fetch Standard?

Problem to solve: What is "the official" term for an HTTP request that does not trigger a CORS preflight?

Previously, it was called a "simple request".
https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/CSRF#avoiding_simple_requests

Till there is a better name, the usage of the "simple request" moves on.

I have used and recommended the term "CORS-safelisted request", but in the specification document, it is not clearly stated, although the following terms are used:
* CORS-safelisted method
* CORS-safelisted request-header
* CORS-safelisted response-header name

But not "CORS-safelisted request" as an independent term.

It is a "close call" in https://fetch.spec.whatwg.org/#cors-protocol-exceptions

> Specifications have allowed limited exceptions to the **CORS safelist** for non-safelisted `Content-Type` header values. These exceptions are made for requests that can be triggered by web content but whose headers and bodies can be only minimally controlled by the web content. Therefore, servers should expect cross-origin web content to be allowed to trigger **non-preflighted requests** with the following non-safelisted `Content-Type` header values:

And then defined as "non-preflighted request".

It would be nice if the specification defines such term.
 
At the moment, my main question is - is the "CORS-safelisted request" somehow incorrect to use?


-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1824
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1824@github.com>

Received on Thursday, 15 May 2025 12:58:35 UTC