Re: [whatwg/fetch] Hide range values from no-cors cross-origin range requests (Issue #1936) from Jake Archibald on 2026-06-25 (public-webapps-github@w3.org from June 2026)

From: Jake Archibald <notifications@github.com>
Date: Thu, 25 Jun 2026 02:01:38 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/1936/4797544826@github.com>

jakearchibald left a comment (whatwg/fetch#1936)

I'd like to discuss three options at WHATNOT:

- Revealing the byte size of a cross-origin valid media resource is fine. We already reveal duration, and something having the same duration and a different byte size will be very rare. 
- We hide the range header value. Risks: The developer doesn't know a request is a range request, and may act incorrectly based on the false information. It becomes a tricksy part of the platform.
- We lie about the range header value (`0-`). The developer knows it's a range request. However, the incorrect value may still result in them acting incorrectly based on the false info. It's still a tricksy part of the platform.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1936#issuecomment-4797544826
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/issues/1936/4797544826@github.com>

Received on Thursday, 25 June 2026 09:01:42 UTC