Re: [whatwg/fetch] Enforce CORP on "navigate" request mode (#1113)

Okay, I agree with @arturjanc's 2nd reason that this change makes adoption of CORP more difficult.

However, I think we still have few gotchas for developers in frames vs resources protection.
1. [resourcepolicy.fyi](https://resourcepolicy.fyi/), [web.dev](https://web.dev/why-coop-coep/), and [MDN](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP)), doesn't explain about requirement of XFO for protecting resources addition to CORP.
2. Adding XFO to all sensitive HTML files won't save developers, because HTML files can be loaded using `img` tag, because Firefox doesn't seem to support [CORB](https://bugzilla.mozilla.org/show_bug.cgi?id=1459357). This mean developers has to add CORP to all sensitive HTML files even though they don't see the change affecting the frame loading.

While it seems like enforce CORP on navigations are a bad idea, I think we need to do a better job of explaining what developers need to do (i.e. supply XFO AND CORP to all sensitive responses).

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1113#issuecomment-732473348

Received on Monday, 23 November 2020 22:55:06 UTC