- From: Anne van Kesteren <notifications@github.com>
- Date: Mon, 04 Jun 2018 00:04:51 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 4 June 2018 07:05:13 UTC
@johnwilander the main reason I favor and I think we went with non-granular here is that all-encompassing solutions have a poor adoption rate due the complexity the overall web has reached. This is indeed unfortunate and it is forcing smaller sites to use some kind of abstraction, but adding something that does not work for many sites is not great either. @youennf it's hard to compare with cookies since individual cookies have ways to limit themselves to HTTPS. `document.domain` basically does not work cross-scheme due to Mixed Content blocking. WebAuthn is limited to secure contexts. As for the ideal behavior, the main problem with that is that if you try to migrate to HTTPS and were already using this header you now either need to remove this header or move cdn.example.com and example.com to HTTPS at the same time. (Or as @arturjanc suggests we add the same-scheme restrictions and also allow origins as values now and you could safelist `http://example.com` for a limited time while you migrate to HTTPS.) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/687#issuecomment-394254587
Received on Monday, 4 June 2018 07:05:13 UTC