[Webkit-unassigned] [Bug 63460] CORS should only deal with request headers set by script authors

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jun 22 03:18:47 PDT 2016


https://bugs.webkit.org/show_bug.cgi?id=63460

--- Comment #22 from Anne van Kesteren <annevk at annevk.nl> ---
(In reply to comment #21)
> I guess that if they are inserted after core preflight checker, this should
> work nicely.

That is definitely how Fetch approaches this. DNT is set with other headers just before the request goes to the network. Notably, this is after service workers. See step 12 of https://fetch.spec.whatwg.org/#concept-http-network-or-cache-fetch. It's a little vague still, but hopefully that will get better over time.

Now, it is a problem that user agents are somehow exempt from the same-origin policy and we keep introducing new headers that we emit across origins and servers might get tripped up by. I don't have a good story for that yet. Nobody seems to really think about it that when they add DNT to all requests, they also violate the implicit agreements around the same-origin policy.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160622/87663f72/attachment.html>


More information about the webkit-unassigned mailing list