Re: [whatwg/fetch] Hide range header values on no-cors requests (PR #1937) from Jake Archibald on 2026-06-23 (public-webapps-github@w3.org from June 2026)

From: Jake Archibald <notifications@github.com>
Date: Tue, 23 Jun 2026 09:27:26 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1937/review/4555194794@github.com>

@jakearchibald commented on this pull request.



> @@ -8032,8 +8056,7 @@ method steps are to <a for=Headers>append</a> (<var>name</var>, <var>value</var>
   <p class=note>Passing a dummy <a>header value</a> ought not to have any negative repercussions.
 
  <li><p>If <a>this</a>'s <a for=Headers>guard</a> is "<code>request-no-cors</code>", <var>name</var>
- is not a <a>no-CORS-safelisted request-header name</a>, and <var>name</var> is not a
- <a>privileged no-CORS request-header name</a>, then return.
+ is not a <a>no-CORS-safelisted request-header name</a>, then return.

This is a behaviour/capability change. Previously you could remove the range from a range request. Now you cannot.

I could make this work, but it seems weird that you can remove a header that doesn't appear to be there.

Fwiw this wouldn't be an issue if we returned a fake value. Although that may have other issues.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1937#pullrequestreview-4555194794
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1937/review/4555194794@github.com>

Received on Tuesday, 23 June 2026 16:27:30 UTC