The request header added to requests that are eligible to write to shared storage via response header ought to be a "forbidden header" according to the Fetch specification, i.e. a header that JS cannot add or modify.
We were using Shared-Storage-Writable as the name of the request header, which was not a forbidden header and could be modified by JS.
This commit updates the explainer to add the prefix Sec- in order to make this header forbidden. The new request header attached to eligible outgoing requests will be Sec-Shared-Storage-Writable: ?1.
We will update the specification draft accordingly in #121.
The request header added to requests that are eligible to write to shared storage via response header ought to be a "forbidden header" according to the Fetch specification, i.e. a header that JS cannot add or modify.
We were using
Shared-Storage-Writable
as the name of the request header, which was not a forbidden header and could be modified by JS.This commit updates the explainer to add the prefix
Sec-
in order to make this header forbidden. The new request header attached to eligible outgoing requests will beSec-Shared-Storage-Writable: ?1
.We will update the specification draft accordingly in #121.