- From: Lukasz Anforowicz <notifications@github.com>
- Date: Mon, 30 Apr 2018 12:27:41 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/pull/686/review/116406225@github.com>
anforowicz commented on this pull request. > @@ -2354,6 +2354,49 @@ X-Content-Type-Options = "nosniff" ; case-insensitive</pre> pertain to them. Also, considering "<code>image</code>" was not compatible with deployed content. +<h3 id=cross-origin-read-blocking>Cross-Origin Read Blocking (CORB)</h3> The CORB name has already been baked into a few places, so I'd rather avoid changing it unless there is a strong reason to do it: - https://github.com/whatwg/fetch/issues/681 and comments/links within (e.g. the link to the [CORB explainer](https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md)) - [Blink Intent to Implement and Ship](https://groups.google.com/a/chromium.org/d/topic/blink-dev/hnAWBzq1qys/discussion) (and the corresponding [Chrome status entry](https://www.chromestatus.com/feature/5629709824032768)) - WPT tests at wpt/fetch/corb AFAIK CORB is technically correct and doesn't suffer from the issues present in the old, legacy name (cross-site document blocking - XSDB) where: - "site" was matching the isolation offered by Site Isolation, but in practice (without arbitrary code execution in a renderer, just as a Spectre defense) we can also protect data at origin granularity - "document" was not an appropriate label for HTML/JSON/XML resources -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/pull/686#discussion_r185084628
Received on Monday, 30 April 2018 19:28:10 UTC