Requirements for CORS safe-list

Question

Requirements for CORS safe-list

Opened this issue 5 years ago · 3 comments

dyladan commented 5 years ago

The CORS safelist is very tightly restricted. There are currently only 4 safe headers

Accept
Accept-Language
Content-Language
Content-Type

Even those are tightly restricted.

For Accept-Language and Content-Language: can only have values consisting of 0-9, A-Z, a-z, space or *,-.;=.
For Accept and Content-Type: can't contain a CORS-unsafe request header byte: "():<>?@[\]{}, Delete, Tab and control characters: 0x00 to 0x19.
For Content-Type: needs to have a MIME type of its parsed value (ignoring parameters) of either application/x-www-form-urlencoded, multipart/form-data, or text/plain.
For any header: the value’s length can't be greater than 128.
The length of all header values combined can't be greater than 1024

The last 2 restrictions are the ones that I think are the biggest issues

Answer 1 · 2020-03-27T20:07:19.000Z

Let's follow-up with a proposal to https://fetch.spec.whatwg.org/

Answer 2 · 2020-10-22T13:45:34.000Z

Regarding CORS safe-list, there's already a proposal: whatwg/fetch#911

Answer 3 · 2021-11-16T20:41:47.000Z

Consensus is currently that this is very unlikely to happen, ever. We might want to revisit it at some time in the (far-ish) future if we see the header has become much more popular than it is today.