You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Certain "hop-by-hop" headers (such as Proxy-Authenticate and Proxy-Authorization) are generally not visible to the destination server (e.g. they are stripped out by a proxy). Allowing origins to request their values via the request_headers and response_headers fields of a NEL report would violate the principle that NEL reports are meant to only contain information that would be available to the destination server.
Should there be a blacklist of headers whose values must not be sent in NEL reports? For example, RFC 2068 lists the following headers as "hop-by-hop":
Connection
Keep-Alive
Public
Proxy-Authenticate
Transfer-Encoding
Upgrade
The text was updated successfully, but these errors were encountered:
Certain "hop-by-hop" headers (such as
Proxy-Authenticate
andProxy-Authorization
) are generally not visible to the destination server (e.g. they are stripped out by a proxy). Allowing origins to request their values via therequest_headers
andresponse_headers
fields of a NEL report would violate the principle that NEL reports are meant to only contain information that would be available to the destination server.Should there be a blacklist of headers whose values must not be sent in NEL reports? For example, RFC 2068 lists the following headers as "hop-by-hop":
Connection
Keep-Alive
Public
Proxy-Authenticate
Transfer-Encoding
Upgrade
The text was updated successfully, but these errors were encountered: