Safelist request headers starting with Sec-
#880
Conversation
|
Yoav, |
Any pointers to that thread?
IIUC, it should be in both. I agree only user agents should be able to set it (hence it should be in the forbidden list), but then, when a user agent invokes e.g. main fetch, in step 5, it needs to verify that the CORS unsafe request header names list is empty. That, in turn, triggers the CORS safelisted request header algorithm on all header fields, checking if they are safe-listed. Not including Since we want to avoid those preflights, I think |
|
So the flow you seem to want is that a context can set a The problem with this approach is service workers. You've now put privileged headers in a Perhaps that is what should happen as the context is different too, but I strongly suspect it's not what you intended to happen. |
|
OK, so the right flow would be that any |
|
I haven't really put a lot of thought into that. This came to mind when I tried to remember what problems we've run into with trying to extend this in the past. |
|
w3c/resource-hints#74 (comment) Yep, since the user-agents' managed headers are injected later but before making network requests, they won't appear in the header list when we run several algorithms for the fetch and XHR specs, and these headers don't have a chance to set unsafe-request flag or use-CORS-preflight flag. That's my understanding. But, if you need to say something explicitly, can we say that 'if the header name matches the forbidden header names' rather than 'if the header name is Sec-*'? Actually, that's Chrome implementation. |
In the current Client Hints PR, the CH headers are added as part of fetch steps 1.8.3 IIUC, since main fetch runs below that, and this is where the safelist test happens, I'd need to move it lower, after the safelist test. I can definitely do that. And you're right that if all UA-added headers will be added below that check, there's no need to add the current clause. I'll close this PR, and shuffle things around in the CH PR.
Yeah, I'll move my header additions lower, so that they won't require such an exception.
Good point, but I think we can avoid it altogether now. Thanks! |
|
@yoavweiss not just below the safelist test, below handing things off to service workers. |
That's not what we discussed in the past. Client Hints need to be observable by SWs in order to satisfy their use-cases, and in order for SW to respond to those resources from the cache properly. |
|
I know, see #880 (comment) though. |
|
Can't we add the values before as well as after SWs? (in case they were removed) |
|
Maybe? It's not immediately clear to me that wouldn't create other problems. |
|
Is the pattern we used for |
|
@jakearchibald that would not prevent a preflight for requests whose mode is "cors". Though maybe it should? |
My understanding going over that constructor algorithm is that:
Is that correct? If so, is that the intended behavior? I feel like adding |
|
Yeah, I overlooked the fact that if you do not modify the request the headers are preserved. My bad. |
|
Is that the intended behavior? If it is, than I'd assume step 32.2 should skip the other substeps if If it isn't and we need to append all the headers anyway, maybe we can carve out |
|
No, if any init members are set, then headers are to be "reinitialized". Only if it's a "pass-through" request things can stay the way they were. I thought that was okay for your scenario though? |
|
Any update? i.e., any chance to have 'Sec-Fetch-Purpose' in the 'Fetch Metadata Request Headers' spec? |
|
Obsoleted by #1000 |
As discussed with @annevk on w3c/resource-hints#74 (comment), this PR makes sure that
Sec-prefixed request headers are always CORS-safe.Preview | Diff