Disallow "hop-by-hop" headers in `request_headers` and `response_headers`
chlily1 opened this issue · 0 comments
chlily1 commented
Certain "hop-by-hop" headers (such as Proxy-Authenticate
and Proxy-Authorization
) are generally not visible to the destination server (e.g. they are stripped out by a proxy). Allowing origins to request their values via the request_headers
and response_headers
fields of a NEL report would violate the principle that NEL reports are meant to only contain information that would be available to the destination server.
Should there be a blacklist of headers whose values must not be sent in NEL reports? For example, RFC 2068 lists the following headers as "hop-by-hop":
Connection
Keep-Alive
Public
Proxy-Authenticate
Transfer-Encoding
Upgrade