- From: Mike West <notifications@github.com>
- Date: Tue, 26 Jan 2021 09:20:55 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 26 January 2021 17:21:08 UTC
I tried to sketch out the need in the introduction, with the specific example of Earth: TL;DR: sites that include content from third-parties cannot deploy `COEP: require-corp` until those third-parties adopt CORS or CORP. The hope is that we can create similar security properties without being blocked on opt-in. It might also be helpful to frame this in terms of a broader story: it is clear to me that we need to [shift the web's defaults towards isolation](https://speakerdeck.com/mikewest/isolation-by-default), because side-channels are pervasive, and attacks on them only get better. `COEP: require-corp` cannot be enforced by default. Most web sites would break. I believe we can get to a world in which `CORP: whatever-we-call-this-credentiallessness-thing` could be enforced by default, with low propensity for user-facing breakage, as substantial numbers of users choose to block third-party cookies today. So, in the short term, it allows some sites that can't opt-into cross-origin isolation with `COEP: require-corp` to do so. In the long term, it gives us a path towards opting everyone in. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/582#issuecomment-767696388
Received on Tuesday, 26 January 2021 17:21:08 UTC