[whatwg/fetch] Block opaque 416 responses to range requests (Issue #1906) from Yoshisato Yanagisawa on 2026-01-14 (public-webapps-github@w3.org from January 2026)

From: Yoshisato Yanagisawa <notifications@github.com>
Date: Tue, 13 Jan 2026 23:10:09 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1906@github.com>

yoshisatoyanagisawa created an issue (whatwg/fetch#1906)

### What is the issue with the Fetch Standard?

The current Fetch Standard specifies that for an opaque response with the range-requested flag set, but without an originating Range header in the request, a 206 Partial Content status code should result in a network error. This is a crucial security check designed to prevent XS-Leak attacks that could reveal resource sizes.

However, this check is limited to 206 status codes and does not apply to 416 Range Not Satisfiable responses, which are also used for failed Range requests.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1906
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1906@github.com>

Received on Wednesday, 14 January 2026 07:10:13 UTC