- From: Domenic Denicola <notifications@github.com>
- Date: Tue, 23 Sep 2025 23:28:37 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 24 September 2025 06:28:41 UTC
@domenic commented on this pull request. > <td>"<code>report</code>" - <td rowspan=2>— + <td rowspan=3>— No, per discussion with CSP folks, header-initiated fetches are not generally governed by CSP at all. The reasoning is that CSP is a mechanism for protection against HTML injection defense, not header-injection defense; if an attacker can inject headers, then they can mess up your CSP and do all sorts of bad things. I guess `Link` might be governed by CSP, but that's more of a historical accident... -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/1841#discussion_r2374560007 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/fetch/pull/1841/review/3261211830@github.com>
Received on Wednesday, 24 September 2025 06:28:41 UTC