Now that there is not a generic safelist carve-out for all Sec--prefixed request headers, we will need to safelist individual client hints as they become part of the platform.
I believe the best list of current hints is in Client Hints Infrastructure. These are at various stages of consensus/maturity; none of them are currently implemented anywhere besides Chrome. Chrome does not preflight when adding any of them.
Now that there is not a generic safelist carve-out for all
Sec--prefixed request headers, we will need to safelist individual client hints as they become part of the platform.I believe the best list of current hints is in Client Hints Infrastructure. These are at various stages of consensus/maturity; none of them are currently implemented anywhere besides Chrome. Chrome does not preflight when adding any of them.