- From: camillelamy <notifications@github.com>
- Date: Wed, 27 Jan 2021 08:54:59 -0800
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Wednesday, 27 January 2021 16:55:11 UTC
I think I am more in favor of option of requiring frames to CORP themselves and assert a COEP that is not unsafe-none. The way I see it, an iframe that has the right CORP and a COEP that is not `unsafe-none` should embeddable in a `COEP whatever-we-call-this-credentiallessness-thing`. We can start with that, and if we find that it is too hard to deploy, maybe we can think about Mike's option 2 as a fallback. Looking at the user needs for this, it seems to be mostly around subresources rather than nested iframes. So IMO, option 1 gives something that we can more easily reason about in terms of security and still help quite a bit with the deployment of COEP. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/582#issuecomment-768422910
Received on Wednesday, 27 January 2021 16:55:11 UTC