Re: [csswg-drafts] [css-view-transitions-2] Support same-site cross-origin view transitions (#10364)

> > Note also that NavigationActivation and pageswap have relevant same-origin restrictions that would have to be relaxed for this to work.
> 
> 
> 
> Good point! Can you think of any issues with relaxing the restriction, if the site has a vt opt-in?

The vt opt in itself is not enough because you can't read it in the old page before the new page is parsed. CSP is perhaps more suitable because it can be delivered in HTTP headers.

But the main restriction that's going to have to be relaxed is on navigation API session history, as for effective cross-doc navs you need to know where you're going to post-redirects and also where you came from (which might not be the referrer if you're traversing). Currently all of this is same-origin. There are not many things that are same-site protected and it's challenging to get right.

I can't tell if a CSP opt-in is enough for this, it's a good conversation to have with security folks. My point is if we were to do this I would start from history and derive view transitions from that rather than jump straight to CSS.



-- 
GitHub Notification of comment by noamr
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/10364#issuecomment-2131225282 using your GitHub account


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Saturday, 25 May 2024 11:34:26 UTC