- From: Jun <notifications@github.com>
- Date: Thu, 05 Nov 2020 09:50:11 -0800
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Thursday, 5 November 2020 17:50:23 UTC
> Why is changing CORP more compatible? That's just as much of a breaking change and was actually considered as part of the design process and rejected. Because people adding CORP response header to resources loaded iframes (including redirects) would be lesser at this point then people specifying XFO. Why do you think enforcing CORP in requests from iframes is a breaking change (other than spec-wise)? > What are the reasons for Chromium not willing to change XFO? You can read the thread in the bug, but they see 0.75% out of all subframe navigation to have XFO with redirect response status. Which is high enough that they won't be able to change the behavior. However, I would expect CORP to be much lesser in the same matrix. > Why couldn't we add same-site to XFO if that's needed? If we are able to change the current behavior of XFO (i.e. enforce on redirect), then we can add `same-site` to XFO, and that's fine. However, I don't see that happening. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1113#issuecomment-722536446
Received on Thursday, 5 November 2020 17:50:23 UTC