Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Requirements for CORS safe-list #405

Open
dyladan opened this issue Mar 27, 2020 · 3 comments
Open

Requirements for CORS safe-list #405

dyladan opened this issue Mar 27, 2020 · 3 comments
Assignees
@dyladan
Labels
revisit-later
Milestone
8. future-work

Comments

@dyladan
Copy link
Member

dyladan commented Mar 27, 2020

The CORS safelist is very tightly restricted. There are currently only 4 safe headers

  • Accept
  • Accept-Language
  • Content-Language
  • Content-Type

Even those are tightly restricted.

  • For Accept-Language and Content-Language: can only have values consisting of 0-9A-Za-z, space or *,-.;=.
  • For Accept and Content-Type: can't contain a CORS-unsafe request header byte: "():<>?@[\]{}, Delete, Tab and control characters: 0x00 to 0x19.
  • For Content-Type: needs to have a MIME type of its parsed value (ignoring parameters) of either application/x-www-form-urlencodedmultipart/form-data, or text/plain.
  • For any header: the value’s length can't be greater than 128.
  • The length of all header values combined can't be greater than 1024

The last 2 restrictions are the ones that I think are the biggest issues
@dyladan dyladan mentioned this issue Mar 27, 2020
Closed
@plehegar plehegar added the security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response. label Mar 27, 2020
@danielkhan danielkhan added this to the 7. level-2 milestone Mar 27, 2020
@danielkhan
Copy link
Contributor

Let's follow-up with a proposal to https://fetch.spec.whatwg.org/

This was referenced Mar 30, 2020
Open
Closed
@danielkhan danielkhan self-assigned this Jul 28, 2020
@hmdhk
Copy link

hmdhk commented Oct 22, 2020

Regarding CORS safe-list, there's already a proposal: whatwg/fetch#911

@plehegar plehegar assigned dyladan and unassigned danielkhan Jul 6, 2021
@kalyanaj kalyanaj modified the milestones: 7. level-2, 8. future-work Nov 16, 2021
@basti1302
Copy link
Contributor

Consensus is currently that this is very unlikely to happen, ever. We might want to revisit it at some time in the (far-ish) future if we see the header has become much more popular than it is today.

@basti1302 basti1302 removed security-tracker Group bringing to attention of security, or tracked by the security Group but not needing response. workshop-fall-2020 labels Nov 16, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dyladan dyladan

Labels
revisit-later
Projects
None yet
Milestone
8. future-work
Development

No branches or pull requests
6 participants
@basti1302 @plehegar @dyladan @danielkhan @hmdhk @kalyanaj