- From: John Wilander <notifications@github.com>
- Date: Thu, 31 May 2018 22:26:31 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 1 June 2018 05:26:54 UTC
I keep forgetting we no longer check the ancestor tree for Cross-Origin-Resource-Policy. Otherwise the sneaky, injected iframe would not have worked. Just so that I have it stated here, I personally think we’ve step by step drifted away from a simple one-stop-shop protection we can evangelize to the long tail of sites during the year(s) where we figure out process isolation. My initial implementation covered all resource types, all schemes and ports in one directive, and checked the ancestor tree. Such a header has a high likelihood of protection with low likelihood of misunderstandings or breakage IMHO. Now developers need to understand non-CORS requests and deploy Origin checks, CSP frame-ancestors and Cross-Origin-Resource-Policy to protect all their resources. The same-site concept is only available in one of the three, increasing the likelihood of overlap, gaps, and inconsistent deployment. I’m a little sad we ended up here. It feels like we’re piling on complexity where we should strive for simplicity. Sorry for the rant. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/687#issuecomment-393762489
Received on Friday, 1 June 2018 05:26:54 UTC