Re: [whatwg/fetch] COEP:credentialless and the HTTP cache. (#1253)

@annevk Because it’s the same thing to the intermediary: whether it’s User 1 with B-by-A and B-by-C, or User 1 vs User 2. My point is the intermediary doesn’t need NPK for that: the origin is implicitly saying “You can share this cache entry between User 1 and User 2”.

I can totally understand that, just like services that only support HTTP, it may be that we’re saying the defaults are insecure, and the browser as the user’s agent needs to change, but my point is that the scenario you described (at least, as I tried to reflect, where A is credentialed, B is not, and C is the attacker) is _already_ broken without NPK.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/1253#issuecomment-894187461

Received on Friday, 6 August 2021 11:11:30 UTC