Contact emails
ari...@chromium.org, yoav...@chromium.org
Specification
https://fetch.spec.whatwg.org/#cors-safelisted-request-header
https://wicg.github.io/netinfo/#networkinformation-interface
Summary
Our CORS implementation maintains a safelist of all permitted headers, and this list includes not only all headers in the spec, but all client hint headers. There appears to have been an oversight which omitted network quality client-hint headers from this list. These are `rtt`, `downlink`, and `ect`.
Motivation
This is really just a bugfix, but I wanted to give the community a heads up that I intend to resolve this oversight. Thanks to Cloudinary for notifying us of this issue.
Risks
We currently allow XHR to modify client hints headers that don't start with `sec-` in CORS requests despite them being safelisted. This change won't resolve that, but that issue is the next one to be addressed after this goes in.
Blink component
Debuggability
WPTs were added in addition to a unit test to demonstrate usage.
Tracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=1375854
Estimated milestone
M109