Re: [whatwg/fetch] From-Origin (#687)

Cool! Here are some further questions and thoughts:

* If a cross-origin iframe has a same-origin worker and that worker fetches something same-origin with `From-Origin: same` set, will it fail?
* Should we make `same` and `same-site` case-sensitive to be more similar to `null` and how we compare origins? (I'd suggest yes.)
* How do we deal with multiple `From-Origin` headers (either multiple or comma-separated)? We need to be clear on whether `same, same-site` or `same, https://hello.example` ends up being ignored or means something.
* I'd really like to include that referrer check pointed out above, but it seems a little contingent on being able to ship that for CSP/X-Frame-Options too. Perhaps we can try to be strict here first and if restricting it for CSP/X-Frame-Options fails we loosen this up? (It's also a little different as this always applies, whereas those only affect navigation.)

Also, the way WebKit deals with "invalid" values means that if someone deploys `From-Origin: https://hello.example` today it'll never fail to load in WebKit until they add support for that. Perhaps it's better to be strict from the start here given that origins are best compared byte-for-byte (after splitting on comma and stripping HTTP whitespace)?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/687#issuecomment-384590813

Received on Thursday, 26 April 2018 10:26:51 UTC