diff --git a/fetch.bs b/fetch.bs index b6e797a21..d91af2df9 100644 --- a/fetch.bs +++ b/fetch.bs @@ -97,6 +97,22 @@ url: https://tools.ietf.org/html/rfc7234#section-1.2.1;text:delta-seconds;type:d "publisher": "US-CERT", "href": "https://www.kb.cert.org/vuls/id/150227", "title": "HTTP proxy default configurations allow arbitrary TCP connections." + }, + "REPORTING": { + "authors": ["Ilya Grigorik", "Mike West"], + "href": "https://wicg.github.io/reporting/", + "title": "Reporting API" + }, + "EXPECT-CT": { + "authors": [ + "Emily Stark" + ], + "href": "https://tools.ietf.org/html/draft-ietf-httpbis-expect-ct-02", + "publisher": "IETF", + "title": "Expect-CT Extension for HTTP" + }, + "OCSP": { + "aliasOf": "RFC2560" } } @@ -445,6 +461,9 @@ whose name is a byte-case-insensitive match for one of

and whose value, once extracted, is not failure. +

There are limited exceptions to the `Content-Type` header safelist, as +documented in CORS protocol exceptions. +

A CORS non-wildcard request-header name is a byte-case-insensitive match for `Authorization`. @@ -2226,6 +2245,27 @@ Access-Control-Allow-Credentials: true ignored. +

CORS protocol exceptions

+ +

Specifications have allowed limited exceptions to the CORS safelist for non-safelisted +`Content-Type` header values. These exceptions are made for requests that can be +triggered by web content but whose headers and bodies can be only minimally controlled by the web +content. Therefore, servers should expect cross-origin web content to be allowed to trigger +non-preflighted requests with the following non-safelisted `Content-Type` header +values: + +

+ +

Specifications should avoid introducing new exceptions and should only do so with careful +consideration for the security consequences. New exceptions can be proposed by +filing an issue. +

`X-Content-Type-Options` header