Skip to content

Hide range header values on no-cors requests#1937

Draft
jakearchibald wants to merge 6 commits into
mainfrom
jakearchibald/obscure-range-header-value
Draft

Hide range header values on no-cors requests#1937
jakearchibald wants to merge 6 commits into
mainfrom
jakearchibald/obscure-range-header-value

Conversation

@jakearchibald

@jakearchibald jakearchibald commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator

Fixed #1936

The rest of the form is TODO.

  • At least two implementers are interested (and none opposed):
  • Tests are written and can be reviewed and commented upon at:
  • Implementation bugs are filed:
    • Chromium: …
    • Gecko: …
    • WebKit: …
    • Deno (not for CORS changes): …
  • MDN issue is filed: …
  • The top of this comment includes a clear commit message to use.

(See WHATWG Working Mode: Changes for more details.)


Preview | Diff

Comment thread fetch.bs
<li><p>If <a>this</a>'s <a for=Headers>guard</a> is "<code>request-no-cors</code>", <var>name</var>
is not a <a>no-CORS-safelisted request-header name</a>, and <var>name</var> is not a
<a>privileged no-CORS request-header name</a>, then return.
is not a <a>no-CORS-safelisted request-header name</a>, then return.

@jakearchibald jakearchibald Jun 23, 2026

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a behaviour/capability change. Previously you could remove the range from a range request. Now you cannot.

I could make this work, but it seems weird that you can remove a header that doesn't appear to be there (would we fake has too?).

You can remove the range header by modifying some other header - even if you set it back to its original value.

Fwiw this wouldn't be an issue if we returned a fake value. Although that may have other issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

Hide range values from no-cors cross-origin range requests

1 participant