Re: [whatwg/fetch] Proposal: `Sec-Site` should capture information about the requester of a resource (#700) from John Wilander on 2018-04-16 (public-webapps-github@w3.org from April 2018)

From: John Wilander <notifications@github.com>
Date: Mon, 16 Apr 2018 16:36:18 +0000 (UTC)
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/issues/700/381667604@github.com>

> Should it be a per-origin opt-in (via Origin Policy) or enabled by default?

It looks like Origin Policy is stateful cross-site. True? From the spec:
"The Sec-Origin-Policy HTTP request header field is sent with navigational HTTP requests in order to advertise support generally for the origin policy manifest mechanism defined in this document, and to inform the server which version of its origin policy is cached locally."

If so, it won't fly for us for anti tracking reasons. Maybe partitioning would make sense. Were there any thoughts on that?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/700#issuecomment-381667604

Received on Monday, 16 April 2018 16:36:43 UTC