Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
As per whatwg/fetch#1453, the "Set-Cookie" header is added to the list of forbidden request header names in the Fetch spec. This is because the "Set-Cookie" header is semantically a response header, so it is not useful on requests, and we want to avoid leaking the complexity of handling them in requests. This CL implements this change. The impact of this change was already verified using a UseCounter[1], which showed that the % of pages that set a "set-cookie" header on an outbound fetch request hovers around 0.0003%. Additionally, the two popular domains that set a "set-cookie" header on request headers continue to work even when all outbound "set-cookie" headers were removed [2]. Hence, this change was deemed to be safe to make. Some tests depended on the assumption that there are no overlapping header names for forbidden request and response headers, which made tests fail as 'Set-Cookie' exists in both lists of forbidden names now. This has been fixed in this CL by finding the non-overlapping header names. As this change is sufficiently small, an intent to ship is not being sent, but the enterprise team were notified to include this in the release notes and a PSA to blink-dev was also sent[3]. [1] https://chromestatus.com/metrics/feature/timeline/popularity/4152 [2] whatwg/fetch#973 (comment) [3] https://groups.google.com/a/chromium.org/g/blink-dev/c/SyHAsPfO004 Bug: 1337091 Change-Id: Idf8ffd9c1169e5b9045c5a7e282c4fbdda00f550 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3709684 Reviewed-by: Yutaka Hirano <[email protected]> Reviewed-by: Shakti Sahu <[email protected]> Commit-Queue: Nidhi Jaju <[email protected]> Cr-Commit-Position: refs/heads/main@{#1016574} NOKEYCHECK=True GitOrigin-RevId: d77381726e0abdf260324bde656ff37620199f87
- Loading branch information