Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Consider using a Fetch metadata header #81

Open
letitz opened this issue Sep 27, 2022 · 3 comments
Open

Consider using a Fetch metadata header #81

letitz opened this issue Sep 27, 2022 · 3 comments

Comments

@letitz
Copy link
Collaborator

letitz commented Sep 27, 2022

We might want to let the server know that the request client is in a more public network, during the actual request, after the preflight request. This could take the shape of a fetch metadata header. Something like:

Sec-Fetch-Address-Space: public

Modulo the appropriate amount of bikeshedding.

According to @mikewest in #80, some version of this was considered way back when CORS-RFC1918 was being initially designed.

@annevk
Copy link

annevk commented Sep 27, 2022

If we do this we should probably only include it for non-public requests to avoid bloat in the common case.

@letitz
Copy link
Collaborator Author

letitz commented Sep 27, 2022

Agreed! The default (not a private network request) can be implied by the absence of the header.

@mikewest
Copy link
Member

Right. If we decide we need it, we'd want to model it on https://www.w3.org/TR/fetch-metadata/#sec-fetch-user-header.

That said, I'm not sure we do. I think it's worth discussing, but no one we've talked to has asked for this. It might have just been an unnecessary idea way back when.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants