Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Accept 'sec-'-prefixed headers as CORS-safelisted. #1000

Closed
wants to merge 3 commits into from
Closed

Accept 'sec-'-prefixed headers as CORS-safelisted. #1000

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9c64c16
Accept 'sec-'-prefixed headers as CORS-safelisted.
mikewest Feb 14, 2020
1bc7627
Update fetch.bs
mikewest Feb 14, 2020
4efccc0
Update fetch.bs
mikewest Feb 14, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 11 additions & 2 deletions fetch.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -708,7 +708,11 @@ production as
<li><p>Let <var>value</var> be <var>header</var>'s <a for=header>value</a>.

<li>
<p><a>Byte-lowercase</a> <var>header</var>'s <a for=header>name</a> and switch on the result:
<p>Let <var>name</var> be the result of <a>byte-lowercasing</a> <var>header</var>'s
<a for=header>name</a>.

<li>
<p>Switch on <var>name</var>:

<dl class=switch>
<dt>`<code>accept</code>`
Expand Down Expand Up @@ -760,7 +764,12 @@ fetch("https://victim.example/naïve-endpoint", {
</div>

<dt>Otherwise
<dd><p>Return false.
<dd>
<p>If <var>name</var> does not start with `<code>sec-</code>`, then return false.

<p class=note>As all headers starting with `<code>Sec-</code>` are <a>forbidden header
names</a>, we have some confidence that they're generated by the user agent, and not via APIs
that developers directly control.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The other thing we should point out here is #880 (comment). In particular, if Fetch isn't in control of setting these headers, you might be in for a surprise with service workers.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't quite follow where that conversation ended up. What's the behavior in Service Workers that we want? What behavior would surprise developers? @yoavweiss

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, the surprising bits would be that Sec- prefixed headers would disappear from the requests when developers would modify the request in SW in any way (but won't disappear for pass-through cases).

For the CH case, I think we could solve this by re-adding them below SWs (but @annevk had reservations). For Fetch-Metadata, maybe you could simply add them below SWs?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think for Fetch-Metadata all is in order because they are set as part of main fetch.

</dl>

<li><p>If <var>value</var>'s <a for="byte sequence">length</a> is greater than 128, then return
Expand Down