<html>

    <head>

      <base href="https://bugs.webkit.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Require preflight for non-standard CORS-safelisted request headers Accept, Accept-Language, and Content-Language"

   href="https://bugs.webkit.org/show_bug.cgi?id=165178">165178</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>Require preflight for non-standard CORS-safelisted request headers Accept, Accept-Language, and Content-Language

          </td>

        </tr>

        <tr>

          <th>Classification</th>

          <td>Unclassified

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>WebKit

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>WebKit Nightly Build

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>Unspecified

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>Unspecified

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>Normal

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P2

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>WebCore Misc.

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>webkit-unassigned&#64;lists.webkit.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>wilander&#64;apple.com

          </td>

        </tr></table>

      <p>

        <div>

        <pre>Fetch currently only restricts the header Content-Type for simple requests: <a href="https://fetch.spec.whatwg.org/#cors-safelisted-request-header">https://fetch.spec.whatwg.org/#cors-safelisted-request-header</a>

This means simple CORS requests can send unexpected characters in Accept, Accept-Language, and Content-Language header values.

RFC 7231 implies restrictions on these header values:

Accept <a href="https://tools.ietf.org/html/rfc7231#section-5.3.2">https://tools.ietf.org/html/rfc7231#section-5.3.2</a>

Accept-Language <a href="https://tools.ietf.org/html/rfc7231#section-5.3.5">https://tools.ietf.org/html/rfc7231#section-5.3.5</a>

Content-Language <a href="https://tools.ietf.org/html/rfc7231#section-3.1.3.2">https://tools.ietf.org/html/rfc7231#section-3.1.3.2</a>

As per discussions in the W3C WebAppSec group we should try to restrict these header values to help protect servers that do not expect simple CORS requests.

Non-standard header values should trigger a preflight and require the headers to be whitelisted in the response's Access-Control-Allow-Headers.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are the assignee for the bug.</li>

      </ul>

    </body>

</html>