<html>
<head>
<base href="https://bugs.webkit.org/" />
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_UNCONFIRMED "
title="UNCONFIRMED - CORS should only deal with request headers set by script authors"
href="https://bugs.webkit.org/show_bug.cgi?id=63460#c22">Comment # 22</a>
on <a class="bz_bug_link
bz_status_UNCONFIRMED "
title="UNCONFIRMED - CORS should only deal with request headers set by script authors"
href="https://bugs.webkit.org/show_bug.cgi?id=63460">bug 63460</a>
from <span class="vcard"><a class="email" href="mailto:annevk@annevk.nl" title="Anne van Kesteren <annevk@annevk.nl>"> <span class="fn">Anne van Kesteren</span></a>
</span></b>
<pre>(In reply to <a href="show_bug.cgi?id=63460#c21">comment #21</a>)
<span class="quote">> I guess that if they are inserted after core preflight checker, this should
> work nicely.</span >
That is definitely how Fetch approaches this. DNT is set with other headers just before the request goes to the network. Notably, this is after service workers. See step 12 of <a href="https://fetch.spec.whatwg.org/#concept-http-network-or-cache-fetch">https://fetch.spec.whatwg.org/#concept-http-network-or-cache-fetch</a>. It's a little vague still, but hopefully that will get better over time.
Now, it is a problem that user agents are somehow exempt from the same-origin policy and we keep introducing new headers that we emit across origins and servers might get tripped up by. I don't have a good story for that yet. Nobody seems to really think about it that when they add DNT to all requests, they also violate the implicit agreements around the same-origin policy.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>