- From: natechapin via GitHub <sysbot+gh@w3.org>
- Date: Fri, 14 Jun 2024 23:34:24 +0000
- To: public-css-archive@w3.org
> > > Note also that NavigationActivation and pageswap have relevant same-origin restrictions that would have to be relaxed for this to work. > > > > > > Good point! Can you think of any issues with relaxing the restriction, if the site has a vt opt-in? > > The vt opt in itself is not enough because you can't read it in the old page before the new page is parsed. CSP is perhaps more suitable because it can be delivered in HTTP headers. > > But the main restriction that's going to have to be relaxed is on navigation API session history, as for effective cross-doc navs you need to know where you're going to post-redirects and also where you came from (which might not be the referrer if you're traversing). Currently all of this is same-origin. There are not many things that are same-site protected and it's challenging to get right. > > I can't tell if a CSP opt-in is enough for this, it's a good conversation to have with security folks. My point is if we were to do this I would start from history and derive view transitions from that rather than jump straight to CSS. Do I understand correctly that this would require `navigation.activation.from` to be populated in the cross-origin-but-same-site case? I think that's probably doable if both origins consent to it, but it would be important to note that some of the information on `navigation.activation.from` would be incomplete or unusuable. Most notably, a `from.key` would be rejected if given to `navigation.traverseTo`, and `from.index` would always be `-1`. We would also need to think carefully about `from.url` behaves. Would it be ok for it to be origin-only? Would it break view transitions if it was censored due to referrer policy? -- GitHub Notification of comment by natechapin Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/10364#issuecomment-2168890214 using your GitHub account -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Friday, 14 June 2024 23:34:24 UTC