The request header added to requests that are eligible to write to shared storage via response header ought to be a "forbidden header" according to the Fetch specification, i.e. a header that JS cannot add or modify.
We were using Shared-Storage-Writable as the name of the request header, which was not a forbidden header and could be modified by JS.
This commit is a followup to #120 and updates the specification draft to add the prefix Sec- in order to make this header forbidden. The new request header attached to eligible outgoing requests will be Sec-Shared-Storage-Writable: ?1.
The request header added to requests that are eligible to write to shared storage via response header ought to be a "forbidden header" according to the Fetch specification, i.e. a header that JS cannot add or modify.
We were using
Shared-Storage-Writableas the name of the request header, which was not a forbidden header and could be modified by JS.This commit is a followup to #120 and updates the specification draft to add the prefix
Sec-in order to make this header forbidden. The new request header attached to eligible outgoing requests will beSec-Shared-Storage-Writable: ?1.Preview | Diff