Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Strengthen requirements on CORS-safelisted request-headers #736
@johnwilander @mikewest @ckerschb @bzbarsky I'd appreciate your review. @sicking this goes against what you advocated for in #313, but given Safari's success in locking this down and given that there continue to be security bugs in this area due to it not being locked down I think this is the responsible path forward.
@yutakahirano I looked at all callers of CORS-safelisted request-header and considered an alternative design whereby the input is a header list and the output is a list of headers that are not safelisted. That way we could have an overall size limit and if it is reached we'd just not safelist anything.
However, the one problem with this approach is the
Perhaps the solution to that is that we freeze "