Change how CORS filtered response filters the headers. #265
Conversation
Rather than just directling taking the exposed headers from the `Access-Control-Expose-Headers` header, this adds a separate list of exposed headers to a response, initialized from that header. This makes it possible for foreign fetch to filter headers differently.
| <p>A <dfn>CORS-safelisted response-header name</dfn>, given a | ||
| <span title=concept-response-header-list>header list</span> <var>list</var>, is a | ||
| <span title=concept-header>header</span> <span title=concept-header-name>name</span> that is one of: | ||
| <p>A <dfn id="cors-safelisted-response-header-name">CORS-safelisted response-header name</dfn>, given a |
There was a problem hiding this comment.
Sorry, user error. Somehow managed to copy generated html into the source file... Fixed.
mkruisselbrink
force-pushed
the
change-cors-header-filtering
branch
from
6c4e819
to
0de4b98
Compare
…filtered response.
| to the result of <span title=concept-header-parse>parsing</span> | ||
| `<code title=http-access-control-expose-headers>Access-Control-Expose-Headers</code>` in | ||
| <var>response</var>'s | ||
| <span title=concept-response-header-list>header list</span>. |
There was a problem hiding this comment.
Although it does not matter in a black-box-observable way, I still think we should add a conditional here for response tainting being "cors".
|
This looks pretty good. It could use some rewrapping here and there to account for 100 column lines (while keeping inline elements on one line at all cost, even if it requires exceeding the limit after putting them on their own line), but I'm happy to do that for you. |
Thanks. I tried to do wrapping that seemed to match most of the rest of the document, but yeah, it's certainly possible that I missed something/wrapped something differently than you'd like. |
Rather than just directling taking the exposed headers from the `Access-Control-Expose-Headers` header, this adds a separate list of exposed headers to a response, initialized from that header. This makes foreign fetch integration easier. PR: #265
|
Thank you, merged as 32411c7. |
Rather than just directling taking the exposed headers from the
Access-Control-Expose-Headersheader, this adds a separate list ofexposed headers to a response, initialized from that header. This makes
it possible for foreign fetch to filter headers differently.
This will be used by foreign fetch in mkruisselbrink/ServiceWorker@bf4585b