- From: bifurcation <notifications@github.com>
- Date: Mon, 18 Apr 2016 08:51:54 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/210/211441909@github.com>
Yeah, @bifurcation got overwhelmed with notifications a while back. @mnot - The idea of a site-wide policy seems sensible enough. Some thoughts below. --- It's not clear to me why you want to go the `.well-known` route vs. having the original resource express the location of the policy: `Access-Control-Policy: https://example.com/cors-policy` In the case where the original resource is HTTPS, there's no reduction in security (since the redirect is secure). In the HTTP case, you're either hosed in any case or you're not. If you got creative, you could even make that work for multiple origins, saving you even more (as below). --- I am also worried about the consistency issue. If we do this, we should be explicit that the site policy overrides anything sent by the specific resource. Note that it is safe for the resource to send only the policy (and not the other CORS headers), since older browsers will fail closed. --- If we're going to have the origin set policy for sub-resources, it would be good to do it for more than just CORS. E.g., it would be nice to use this to set the `upgrade-insecure-requests` CSP directive for a whole site. --- I would like this a bit better if we could have the policy be signed by the origin. You could re-use normal web certificates for this, and it would have a few advantages: 1. Better assurance in the HTTP case 2. You would have to have a certificate (if not HTTPS) to get this optimization 3. Policies can be distributed independently of the transport, so you could do things like having a single policy document have policies for multiple origins. --- Net of all that, though, doing a foreign fetch service worker does seem simpler to me than revising the whole policy framework. Where are we on that idea? As an intermediate idea, you could imagine adding a service worker method to set this policy, so that you wouldn't have to do all the header munging. --- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/210#issuecomment-211441909
Received on Monday, 18 April 2016 15:52:21 UTC