Accept 'sec-'-prefixed headers as CORS-safelisted.

mikewest · mikewest · commit 9c64c16c3e58 · 2020-02-14T10:06:56.000+01:00
As discussed in #993.
diff --git a/fetch.bs b/fetch.bs
@@ -708,7 +708,11 @@ production as
  <li><p>Let <var>value</var> be <var>header</var>'s <a for=header>value</a>.
 
  <li>
-  <p><a>Byte-lowercase</a> <var>header</var>'s <a for=header>name</a> and switch on the result:
+  <p>Let <var>name</var> be the result of <a>byte-lowercasing</a> <var>header</var>'s
+  <a for=header>name</a>.
+
+ <li>
+  <p>Switch on <var>name</var>:
 
   <dl class=switch>
    <dt>`<code>accept</code>`
@@ -760,7 +764,12 @@ fetch("https://victim.example/naïve-endpoint", {
     </div>
 
    <dt>Otherwise
-   <dd><p>Return false.
+   <dd>
+    <p>If <var>name</var> does not begin with the string "<code>sec-</code>", return false.
+
+    <p class=note>As all headers beginning with "<code>Sec-</code>" are <a>forbidden header
+    names</a>, we have some confidence that they're generated by the user agent, and not via APIs
+    that developers directly control.
   </dl>
 
  <li><p>If <var>value</var>'s <a for="byte sequence">length</a> is greater than 128, then return
