trace-context icon indicating copy to clipboard operation
trace-context copied to clipboard

Published 20 hours ago verified publisher icon w3c

Requirements for CORS safe-list

Open dyladan opened this issue 5 years ago • 3 comments
trafficstars

The CORS safelist is very tightly restricted. There are currently only 4 safe headers

  • Accept
  • Accept-Language
  • Content-Language
  • Content-Type

Even those are tightly restricted.

  • For Accept-Language and Content-Language: can only have values consisting of 0-9A-Za-z, space or *,-.;=.
  • For Accept and Content-Type: can't contain a CORS-unsafe request header byte: "():<>?@[\]{}, Delete, Tab and control characters: 0x00 to 0x19.
  • For Content-Type: needs to have a MIME type of its parsed value (ignoring parameters) of either application/x-www-form-urlencodedmultipart/form-data, or text/plain.
  • For any header: the value’s length can't be greater than 128.
  • The length of all header values combined can't be greater than 1024

The last 2 restrictions are the ones that I think are the biggest issues

dyladan avatar Mar 27 '20 18:03 dyladan

Let's follow-up with a proposal to https://fetch.spec.whatwg.org/

danielkhan avatar Mar 27 '20 20:03 danielkhan

Regarding CORS safe-list, there's already a proposal: https://github.com/whatwg/fetch/issues/911

hmdhk avatar Oct 22 '20 13:10 hmdhk

Consensus is currently that this is very unlikely to happen, ever. We might want to revisit it at some time in the (far-ish) future if we see the header has become much more popular than it is today.

basti1302 avatar Nov 16 '21 20:11 basti1302