Re: [whatwg/fetch] Enforce CORP on "navigate" request mode (#1113)

> I'm not sure that's worth revisiting.

I do think it’s worth revisiting. The requirement of XFO together with CORP isn’t well explained anywhere in the spec or MDN (AFAICT). And implementing this would also allow developer to use “same-site” keyword which isn’t available in XFO. I think this change is more logical and easy for devs, than what we have today.

> I think it makes sense to enforce XFO for redirects. HTML doesn't do that currently, but that could be changed.

Sure, but Chrome doesn’t want to implement this so far. And it’ll be much easier to just change CORP than landing a breaking change.

> I'm not entirely sure I understand the analysis in the Chromium bug. 

XFO should be enforced regardless of redirect :) Which isn’t the case today, and that would leak some secrets.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1113#issuecomment-722249444

Received on Thursday, 5 November 2020 09:16:38 UTC