- From: Matt Menke <notifications@github.com>
- Date: Tue, 03 Aug 2021 07:43:11 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 3 August 2021 14:43:23 UTC
There seem to be a little different from NPK to me, at least. NPK is currently best-effort privacy, and the model assumes all sites are the attackers (including intermediate caches, or at least those outside control/configuration of the user). For strong privacy guarantees, more than just not caching actually needed (e.g., willful IP blindness, or a heavily shared proxy). That seems different from a design aimed at cross-site security, where sites are attacking other sites, which presumably don't want to be attacked, and can take (much better than best-effort) steps against it. The thread model is very different, and having a site be secure in some contexts but not in others (in a way the site might not know about) seems both a more serious issue here, and can lead to sites unknowingly being broken in the case or intermediary proxies. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1253#issuecomment-891905769
Received on Tuesday, 3 August 2021 14:43:23 UTC