- From: Andrew Betts <notifications@github.com>
- Date: Thu, 09 Feb 2017 14:04:15 -0800
- To: w3ctag/spec-reviews <spec-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/spec-reviews/issues/127/278789026@github.com>
Picked up at Boston F2F. We found a number of issues we wanted to discuss, so we invited @mikewest to join us, and he was kind enough to do so. Despite connection difficulties on the call, we covered: * **Use of `/.well-known/`**: We don't really like using hard coded paths, and also feel that there's an element of making things difficult intentionally to avoid foot-guns. However, this technique guarantees that the author controls the origin, and enables pre-fetching. We didn't come to a conclusion on that. * **Path prefixes / URL tree subsetting**: Could we see potential for a sub-origin policy? Maybe not, but it would be good to reason about this. * **Headers vs content body tags**: Making this settable only via a header is unfortunate but understandable. On the performance basis, it wouldn't be reasonable to make a synchronous request later in page processing and as regards ownership, we note that control over headers is frequently argued to indicate server environment ownership (vs. control of content, which often does not). We'd like to discourage other specs from adopting this pattern without similar justification, tho. * **Combinability with web app manifest**: It seems like these should be the same thing, maybe with origin policy living under a single top level key in the manifest data model. Some practical issues here but we'd like to see this overcome if possible to avoid the complexity of having different techniques. * **Vary header**: We were not sure why a `Vary` header was needed on the response. Answer is because for clients that don't support origin policies, the server would need to include all the normal headers that would otherwise be omitted. * **HTTP2 header caching**: We are not sure how much value there is in origin policy when HTTP/2 will eliminate all the header cruft in practice anyway via header compression and caching. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/spec-reviews/issues/127#issuecomment-278789026
Received on Thursday, 9 February 2017 22:04:47 UTC