- From: arturjanc <notifications@github.com>
- Date: Tue, 12 Nov 2019 02:42:09 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 12 November 2019 10:42:11 UTC
I chatted about this with Mike and the tl;dr is that `navigate` for `object`/`embed` is something developers can deal with, under the following assumptions: 1. Browsers will treat browsing contexts created by `<object>` and `<embed>` equivalently to iframes for security purposes, i.e. apply `X-Frame-Options` and `frame-ancestors`, put the browsing context in a separate process (for browsers with out-of-process frames), and not allow any ways to access information about the loaded resource that isn't allowed in an iframe (e.g. don't reveal `width` and `height` as we would for `<img>`). 2. Developers may need to add an extra condition to their policies to prevent their resources from being used as an `<embed>` (because it will appear as a navigation instead of a resource load). This will make policies a little more complicated (which we can handle by sharing reference implementations) and will require developers to consult the value of `Sec-Fetch-Dest` -- so it will be important for browsers to have complete implementations that send the header. Does this sound reasonable? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/948#issuecomment-552838030
Received on Tuesday, 12 November 2019 10:42:11 UTC