Disallow "hop-by-hop" headers in `request_headers` and `response_headers`
chlily1 opened this issue · 0 comments
chlily1 commented
Certain "hop-by-hop" headers (such as Proxy-Authenticate and Proxy-Authorization) are generally not visible to the destination server (e.g. they are stripped out by a proxy). Allowing origins to request their values via the request_headers and response_headers fields of a NEL report would violate the principle that NEL reports are meant to only contain information that would be available to the destination server.
Should there be a blacklist of headers whose values must not be sent in NEL reports? For example, RFC 2068 lists the following headers as "hop-by-hop":
ConnectionKeep-AlivePublicProxy-AuthenticateTransfer-EncodingUpgrade