diff --git a/fetch.bs b/fetch.bs index b6e797a21..d91af2df9 100644 --- a/fetch.bs +++ b/fetch.bs @@ -97,6 +97,22 @@ url: https://tools.ietf.org/html/rfc7234#section-1.2.1;text:delta-seconds;type:d "publisher": "US-CERT", "href": "https://www.kb.cert.org/vuls/id/150227", "title": "HTTP proxy default configurations allow arbitrary TCP connections." + }, + "REPORTING": { + "authors": ["Ilya Grigorik", "Mike West"], + "href": "https://wicg.github.io/reporting/", + "title": "Reporting API" + }, + "EXPECT-CT": { + "authors": [ + "Emily Stark" + ], + "href": "https://tools.ietf.org/html/draft-ietf-httpbis-expect-ct-02", + "publisher": "IETF", + "title": "Expect-CT Extension for HTTP" + }, + "OCSP": { + "aliasOf": "RFC2560" } } @@ -445,6 +461,9 @@ whose name is a byte-case-insensitive match for one of
and whose value, once extracted, is not failure. +
There are limited exceptions to the `Content-Type
` header safelist, as
+documented in CORS protocol exceptions.
+
A CORS non-wildcard request-header name is a byte-case-insensitive match
for `Authorization
`.
@@ -2226,6 +2245,27 @@ Access-Control-Allow-Credentials: true
ignored.
+
Specifications have allowed limited exceptions to the CORS safelist for non-safelisted
+`Content-Type
` header values. These exceptions are made for requests that can be
+triggered by web content but whose headers and bodies can be only minimally controlled by the web
+content. Therefore, servers should expect cross-origin web content to be allowed to trigger
+non-preflighted requests with the following non-safelisted `Content-Type
` header
+values:
+
+
application/csp-report
` [[CSP]]
+ application/report
` [[REPORTING]]
+ application/expect-ct-report+json
` [[EXPECT-CT]]
+ application/xss-auditor-report
`
+ application/ocsp-request
` [[OCSP]]
+Specifications should avoid introducing new exceptions and should only do so with careful +consideration for the security consequences. New exceptions can be proposed by +filing an issue. +
X-Content-Type-Options
` header