NEL: Add request_headers and response_headers |
|
Issue descriptionhttps://github.com/w3c/network-error-logging/issues/93 added new "request_headers" and "response_headers" fields to the NEL policy header. This instructs the browser to reflect the values of particular request or response headers in the NEL reports that it generates about a particular origin. This should have minimal security/privacy impact, because the server already has visibility into all request/response headers in the original request, and NEL already has protections in place to ensure that only the server administrator has control over whether NEL reports are created, and if so, where they're sent.
,
Nov 29
I had filed an Intent to Implement and Ship for this: https://groups.google.com/a/chromium.org/d/topic/blink-dev/nvjV8p_DFM8/discussion We were asked to open a launch/security bug for it before implementing.
,
Nov 29
Ah ok, thanks. I had missed that.
,
Jan 15
Hi, checking in to see when this feature will be available
,
Jan 17
(5 days ago)
Unfortunately it may be a while. We are waiting on a security review before implementing.
,
Jan 17
(5 days ago)
One consideration may be proxy-related headers (e.g. Proxy-Authorization, Proxy-Authenticate) which are not generally visible to the destination server. If a NEL policy requests info on such request_headers or response_headers, should they really be sent to the destination server's NEL collector? |
|
►
Sign in to add a comment |
|
Comment 1 by chlily@chromium.org
, Nov 29Owner: chlily@chromium.org