- From: L. David Baron <notifications@github.com>
- Date: Mon, 04 Jun 2018 16:19:44 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 4 June 2018 23:20:07 UTC
So some initial reactions, which you shouldn't take too seriously because I haven't put that much thought into them yet: - mitigating CSRF is a worthwhile problem to work on - it seems like the underlying problem here is use of ambient authority in unexpected ways. This solution seems to be attacking the problem by blocking "unexpected ways". It seems like there could be alternatives that would reduce the scope of the ambient authority; you've even [worked on one](https://tools.ietf.org/html/draft-ietf-httpbis-cookie-same-site-00). Are there reasons to prefer one approach over the other, or the combination? - it seems like it might not be cheap, though. In particular: - the header isn't tiny, and seems like it will be sent on every request - it seems like it might be quite a bit of work to get browsers to produce interoperable statements, work that might (?) be better spent elsewhere -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/280#issuecomment-394530415
Received on Monday, 4 June 2018 23:20:07 UTC