Add safelisted cors header subfeature #9456
Conversation
github-actions
bot
added
the
data:http 🚠
There was a problem hiding this comment.
Apart from a couple very minor things in line comments, I think this looks reasonable in terms of data and structure. But since there's something novel in the structure of this…
@Elchi3 would you mind giving this a glance? It's not a huge thing, but this is going to lead to several new features with a common naming scheme and I'd like another owner perspective.
|
LGTM! I'm not sure it is needed to add this to all headers that had this from the beginning, though. |
Then how would you know that a header was compatible or not from the data? i.e. if Cache-Control does not have the feature that might indicate that it isn't compatible at all.
It doesn't. Where this helps is for Content-Length and any other future header that gets added to the list. If this goes in though, you could in theory decide to autogenerate the info in the docs from the compatibility table. It is completely reasonable to argue that this feature is only affecting one header and we might as well just have a note in the docs. But for me this seems like the purpose of the compatibility table. Up to you guys. |
Co-authored-by: Daniel D. Beck <daniel@ddbeck.com>
Co-authored-by: Daniel D. Beck <daniel@ddbeck.com>
In my view, the compat table communicates what doesn't work. It is not there to communicate everything that works.
Right, when support is added after a feature initially ships, there is a usually a sub feature in BCD: So, safe listed CORS header makes a lot of sense for Content-Length. Completely agree on this case. |
|
Thanks for the discussion here, @hamishwillee and @Elchi3. This has been clarifying, I think. After reading it, I think this PR can be reduced to the |
This will work - anyone coming to Anyway, thanks guys. Changed as suggested. |
Fixes #9300
@ddbeck As we discussed in #9300 this is update adds subfeature for "CORS response header safelist" for two response headers as a test (on completion this will cover all the headers
The
Content-Lengthupdate is the interesting one, which adds the browser versions at which the header joined the list. The linked item covers the versioning discussion except for Safari. I have marked that asfalsebecause it is still in the technology preview: https://developer.apple.com/safari/technology-preview/release-notes/The
Cache-Controlis what all the other ones will look like. Essentially it just copies the version info from the parent - my assumption being that the header and the safelist came at the same time. This is reasonable, because most of these headers just saytruefor version anyway.If you're OK with the approach/text I will roll out to the other headers in the list.