- From: Noam Rosenthal via GitHub <sysbot+gh@w3.org>
- Date: Wed, 24 May 2023 15:55:13 +0000
- To: public-css-archive@w3.org
I like the 3rd option the best. However, I wanted to point out a couple of security-related implications of these options: - If we share any information about the new document to the old document, including the fact that there is a transition coming, we could create a constraint that would make it difficult for us to make this feature same-site rather than same-origin in the future. There is no current mechanism I'm aware of to opt in to "let a same-site cross-origin page that navigates know where the navigation got redirected to". It might be ok to cement the same-origin constraint but we should be deliberate about it. - With option (2) and (3), this makes information about the next same-origin navigation (e.g., whether it was redirected) something that is now exposed to CSS. It means that 3rd party CSS, which could have different CSP privileges than JS, can now read and exfiltrate this data. Both of these issues might be ok but should be properly reviewed. The same principles apply to #8785 and #8790: if we expose the exact time of the transition, we expose something about a navigation that might be cross-origin. This is OK if we don't want to support same-site in the future. -- GitHub Notification of comment by noamr Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/8683#issuecomment-1561448917 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Wednesday, 24 May 2023 15:55:15 UTC