Re: [csswg-drafts] [css-view-transitions-2] Support same-site cross-origin view transitions (#10364)

> How about adding a new [Content Security Policy (CSP)](https://w3c.github.io/webappsec-csp/) directive for this instead?

Love it! Especially with the example of `font-src` you mentioned. We'd likely still want `from`/`to` eventually so authors can do transition customization declaratively. But since opt-ing into same-site cross-origin transitions is a security policy, CSP seems like a better place for it.

> even allow to opt into different-site cross-origin view transitions

Different-site cross-origin is fundamentally harder to do for multiple other reasons:

- View Transitions work by sharing metadata and a handle to snapshots of the old Document with the new Document. From a security standpoint, that's highly sensitive information to share cross-site (even if there is an opt-in).
- The fact that the previous site initiated a View Transition, and the details in the metadata passed over to the new site, can be used as a vector for passing information and user fingerprinting.
- View Transitions work by allowing the new Document to customize the animation using static state from the old Document. For cross-site, this would allow the new site to decide what the animation looks like. And it's not clear whether either site should unilaterally control what the animation looks like.

This is not to say cross-site is completely infeasible, but it needs a deeper dive into what control we actually want to give to authors vs letting majority of the experience to be defined by the UA.

-- 
GitHub Notification of comment by khushalsagar
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/10364#issuecomment-2130412073 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Friday, 24 May 2024 21:49:03 UTC