(The implementation CL <https://chromium-review.googlesource.com/c/chromium/src/+/3226283> is under review. This intent is written as if it's landed.)
Contact emailsyhir...@chromium.org Specification https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name Summary A CORS non-wildcard request header[1] is an HTTP request header which is not covered by the wildcard symbol ("*") in the access-control-allow-headers header. "authorization" is the only member of CORS non-wildcard request-header. Currently we treat the header as a usual header, which is problematic for security reasons. Implement it, and change the current behavior. 1: https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name Blink componentBlink>SecurityFeature>CORS <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECORS> TAG reviewNot needed because this implements an existing feature. TAG review statusNot applicable Risks Interoperability and Compatibility Interoperability risk is low because Mozilla and Apple showed an intent to implement this behavior. There is some compatibility risk, as the use counter[2] shows 0.04% websites would be affected. To mitigate the risk, we've shown a deprecation message for a few milestones. We have an enterprise policy so that administrators can keep the existing behavior. We're planning to remove the policy on Chrome 103. 2: https://www.chromestatus.com/metrics/feature/popularity#AuthorizationCoveredByWildcard Gecko: Positive Firefox showed a positive signal in a private thread. WebKit: Positive Apple showed a positive signal in a private thread. Web developers: No signals Debuggability We'll show a CORS error to the devtools console. Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/master/docs/testing/web_platform_tests.md> ?Yes Flag nameCorsNonWildcardRequestHeadersSupport Requires code in //chrome?False (or, True only for the enterprise policy.) Tracking bughttps://crbug.com/1176753 Estimated milestones 97 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5742041264816128 -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABihn6G2mzUAH_Ghrqmb1xM7XetfKgB%3DMUkX0DED7yWbL4JfGg%40mail.gmail.com.
