Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The guard of headers created from no-cors request #1074

Closed
yutakahirano opened this issue Aug 18, 2020 · 3 comments · Fixed by #1076
Closed

The guard of headers created from no-cors request #1074

yutakahirano opened this issue Aug 18, 2020 · 3 comments · Fixed by #1076
Assignees
@jakearchibald
Labels
topic: api

Comments

@yutakahirano
Copy link
Member

In https://fetch.spec.whatwg.org/#dom-request, we set request's headers guard to "request" if init is empty, even when created from a no-cors request. This allows web developers to modify headers that are not CORS-safelisted.

This seems like a spec bug.

See also: #560

@youennf @annevk @jakearchibald
@yutakahirano yutakahirano changed the title The guard of headers created from no-cors The guard of headers created from no-cors request Aug 18, 2020
@annevk
Copy link
Member

annevk commented Aug 18, 2020

@jakearchibald do you want to fix this?

@jakearchibald jakearchibald self-assigned this Aug 18, 2020
@jakearchibald
Copy link
Collaborator

Yeah I can take this

jakearchibald added a commit that referenced this issue Aug 18, 2020
@jakearchibald
Set request header's guard if no-cors
80ac3c1 
Fixes #1074
@jakearchibald jakearchibald mentioned this issue Aug 18, 2020
Merged
@jakearchibald
Copy link
Collaborator

PR #1076

annevk pushed a commit that referenced this issue Aug 18, 2020
@jakearchibald
Request header's guard should be set, even if there's no init
596a524 
Fixes #1074.

(This regressed in #560.)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jakearchibald jakearchibald

Labels
topic: api
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Set request header's guard if no-cors whatwg/fetch
3 participants
@jakearchibald @annevk @yutakahirano