Requirements for CORS safe-list

[dyladan]

The CORS safelist is very tightly restricted. There are currently only 4 safe headers

• Accept
• Accept-Language
• Content-Language
• Content-Type

Even those are tightly restricted.

• For Accept-Language and Content-Language: can only have values consisting of 0-9, A-Z, a-z, space or *,-.;=.
• For Accept and Content-Type: can't contain a CORS-unsafe request header byte: "():<>?@[\]{}, Delete, Tab and control characters: 0x00 to 0x19.
• For Content-Type: needs to have a MIME type of its parsed value (ignoring parameters) of either application/x-www-form-urlencoded, multipart/form-data, or text/plain.
• For any header: the value’s length can't be greater than 128.
• The length of all header values combined can't be greater than 1024

The last 2 restrictions are the ones that I think are the biggest issues

[danielkhan]

Let's follow-up with a proposal to https://fetch.spec.whatwg.org/

[hmdhk]

Regarding CORS safe-list, there's already a proposal: https://github.com/whatwg/fetch/issues/911

[basti1302]

Consensus is currently that this is very unlikely to happen, ever. We might want to revisit it at some time in the (far-ish) future if we see the header has become much more popular than it is today.