Adam Rice

Thanks @marcoscaceres. I don't have a particular preference, so whichever way is less overhead is best. This spec doesn't require much attention, so any overhead is likely to form a...

> 4. We have done this successfully with XMLHttpRequest and this works for many scenarios, but now service workers are required, thus Fetch is required. Out of curiosity, how did...

There's a danger of us missing important ports because they're not used on the public internet. For example, 3128, a common proxy port, is not on the above list. I...

A preflight could protect vulnerable endpoints, but it couldn't protect vulnerable middleboxes, because in the Slipstream attack the server is also malicious and so can handle the preflight correctly.

@nightpool I agree that NAT firewalls should fix their bugs, but it will be a very long time before all the deployed devices have been replaced. In the meantime, new...

> Would this mean that the allowlist couldn't be expanded since we could similarly never know if it's safe to allow any currently blocked port? Yes, I think we would...

Interesting. My impression is that these features are not very useful on the browser-side. I wonder if ServiceWorkers would benefit? It's hard to commit resources to something that doesn't directly...

Blocking new ports creates a lot of work for enterprise users. I'd rather not do it without clear evidence of a risk.

Sorry for being slow, I haven't found evidence of extensive use of these ports that would worry me, but I want to do a bit more research.

Chrome's network stack has similar issues to those described by @wanderview in https://github.com/whatwg/fetch/issues/722#issuecomment-413559634. The code that adds the headers based on the flags is deep inside the network stack: https://cs.chromium.org/chromium/src/net/http/http_network_transaction.cc?type=cs&q=HttpNetworkTransaction::BuildRequestHeaders&g=0&l=1090....