- From: arturjanc <notifications@github.com>
- Date: Sun, 08 Apr 2018 21:24:02 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Sunday, 8 April 2018 21:25:04 UTC
Regarding tying `From-Origin` protections to the absence of cross-origin/site frames: this seems like it would significantly limit the utility of the mechanism, leading to most applications not being able to deploy it. Note that developers already have a way to ensure that their document is not iframed by an untrusted origin and does not contain iframes from untrusted origins; they could set an origin-wide CSP of `frame-ancestors 'self'; frame-src 'self'`. It's perfectly fine to explain to them why they might want to set such a policy on their sites, but there are many scenarios where the developer might willingly iframe a trusted cross-origin/site document on a page which uses a resource that should be protected from Spectre-like attacks. I hope we wouldn't prevent developers from securing their resources in this scenario. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/687#issuecomment-379583774
Received on Sunday, 8 April 2018 21:25:04 UTC