New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WDC-457: Document fetch credential header handling on cross-origin redirects #3378
Conversation
Context in node-fetch/node-fetch#1449 |
@@ -81,15 +81,15 @@ let request = new Request(input [, init]) | |||
|
|||
- `headers` <Type>Headers</Type> <PropMeta>optional</PropMeta> | |||
|
|||
- A [`Headers` object](https://developer.mozilla.org/en-US/docs/Web/API/Headers). | |||
- A [`Headers` object](https://developer.mozilla.org/en-US/docs/Web/API/Headers). <Aside type="warning"> Headers explicitly added to `fetch(url)` will always be sent, even in the case that a redirect is followed. Since Workers does not store nor implicitly add credential headers, explicitly defined `Cookie` and `Authorization` headers will be forwarded when a redirect occurs, even in a cross-origin context.</Aside> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Bikeshedding a bit, what do you think of:
- A [`Headers` object](https://developer.mozilla.org/en-US/docs/Web/API/Headers). <Aside type="warning"> Headers explicitly added to `fetch(url)` will always be sent, even in the case that a redirect is followed. Since Workers does not store nor implicitly add credential headers, explicitly defined `Cookie` and `Authorization` headers will be forwarded when a redirect occurs, even in a cross-origin context.</Aside> | |
- A [`Headers` object](https://developer.mozilla.org/en-US/docs/Web/API/Headers). Note that, compared to browsers, Cloudflare Workers imposes very few restrictions on what headers you are allowed to send. For example, a browser will not allow you to set the `Cookie` header, since the browser is responsible for handling cookies itself. Workers, however, has no special understanding of cookies, and treats the `Cookie` header like any other header. <Aside type="warning">In the event that the response is a redirect, and the redirect mode is set to `follow` (see below), then all headers will be forwarded to the redirect destination, even if the destination is a different hostname or domain. This includes sensitive headers like `Cookie`, `Authorization`, or any application-specific headers. If this is not the behavior you want, you should set redirect mode to `manual` and implement your own redirect policy. Note that redirect mode defaults to `manual` for requests that originated from the Worker's client, so this warning only applies to `fetch()`es made by a Worker that are not proxying the original request.</Aside> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that refactor is a good compromise from my original words and more directly addresses the intent of this change (clarification about how explicitly adding headers to our fetch()
implementation works compared to browsers).
You do say "very few restrictions" -> I'm assuming this is referring to the IP headers?
it did look a bit busy like before so I moved it into a note component:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wasn't referring to the IP headers, no. I was referring to the list of headers that browsers don't normally allow to be set using fetch()
, like Cookie
, User-Agent
, Date
, ...
I'm OK with either of those two screenshots.
LGTM, don't think I'm a codeowner though |
Co-authored-by: Kate Tungusova <70746074+deadlypants1973@users.noreply.github.com>
Deploying with Cloudflare Pages
|
While we are currently following the
fetch
spec, I believe it would be helpful to document this behavior.