Re: [whatwg/fetch] Allow user agents to use more permissive header validation in extensions (Issue #1878) from rdcronin on 2026-01-29 (public-webapps-github@w3.org from January 2026)

From: rdcronin <notifications@github.com>
Date: Wed, 28 Jan 2026 16:40:04 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1878/3814682336@github.com>

rdcronin left a comment (whatwg/fetch#1878)

Thanks for the feedback, and apologies for the delay, @annevk -- this got lost in the holiday shuffle. : )

> I would prefer us to be more explicit about when exactly this happens as the "may" statement seems unnecessarily broad. Is the execution environment of extensions standardized?

The extension execution environment is not yet fully standardized.  We are working on improving this by reducing inconsistencies between browsers and beginning to write specifications, but there is nothing that's been published in the W3C just yet.  We have a [Web Extensions Community Group](https://github.com/w3c/webextensions/) and are in the process of forming a Working Group, which will help in this process.  However, in all likelihood, it will take years for us to fully specify the extension environment.

Regarding the "may" phrasing here, that was intentional, for the following reasons:
* We _typically_ don't mention extensions in web-facing specifications.  Extensions are usually thought of as a layer above the web and as an extension of the user agent.  While we think that specifying them in the W3C makes sense (and there's plenty of prior art for other things that aren't-quite-the-web there), we aren't sure we should necessarily have language around extension behavior in other web specifications.
* It's quite feasible that browsers might want to leverage this for other privileged web-like contexts.  For instance, [controlled frames](https://github.com/WICG/controlled-frame) could feasibly want to do something very similar.  We wanted to leave the door open to other uses here, at the discretion of the user agent.

> This would also not solve the equivalent XMLHttpRequest case https://xhr.spec.whatwg.org/#the-setrequestheader()-method so we probably want something a little different.

True!  I think we'd like to start with fetch() for now, but I would be open to submitting a patch to the XHR spec, as well.  But, given they are disparate specs, it seems like they can be tackled independently.  WDYT?

Thanks again for the input!

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1878#issuecomment-3814682336
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1878/3814682336@github.com>

Received on Thursday, 29 January 2026 00:40:08 UTC