-
Notifications
You must be signed in to change notification settings - Fork 331
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expose Content-Length header in CORS requests #622
Comments
For my own clarity, the suggestion is that we'd add this to the list of CORS-safelisted response-header names, so that it would be exposed on filtered responses without the server opting-in via |
I'd find this quite useful as well. +1. |
@mikewest yes. |
Sounds reasonable to me as well. |
@benjamingr are you interested in writing a PR for this and perhaps even corresponding changes to web-platform-tests? |
(To be clear, I think this has enough support from implementers to be merged.) |
@annevk sure, I'll go right ahead. I apologize in advance about getting the PR wrong :) |
I'm unclear why we're adding more cross-origin information leaks to the platform :( |
@domenic you're concerned about a server having |
I think so, although maybe I'm not fully understanding? In general I'm concerned with any movement away from a model where getting information cross-origin requires opt-in from the cross-origin target server. |
@domenic this is specifically for content length in a CORS request, this is useful for video players who can then decide whether or not to download a video segment via If you'd like I can add more motivating examples. It currently leaks anyway, but in a hacky way. |
I think I was misunderstanding the situation because of my confusion between "CORS request" and "cross origin request". This is probably fine, and I didn't mean to second-guess security folks anyway, just understand better. |
As discussed with @annevk on IRC. (thanks again for the direction)
Currently Chrome and IE (but not Firefox) expose
e.total
onProgressEvent
s. This was discussed in #284.The value of
Content-Length
is very valuable onHEAD
requests. We sometimes makeHEAD
requests to resources in order to choose whether or not they are prohibitively expensive for the client to download or not - or to make smart decisions about downloading them.Currently this is possible (due to
ProgressEvent
s on Chrome) but not Firefox - I think we should safelist theContent-Length
header in CORS requests.The text was updated successfully, but these errors were encountered: