- From: Arthur Sonzogni <notifications@github.com>
- Date: Tue, 27 Jul 2021 05:55:12 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3ctag/design-reviews/issues/582/887487554@github.com>
Thanks for this reply! > As the issue is no longer about iframe, could this be just a CSP? (I'm fine with this being COEP, but wondering where it fits better). I am not totally sure to understand the benefits to define this as a CSP. If you can, could you provide some of them? What I can see in favor of keeping it inside COEP: - COOP and COEP are used to define a crossOriginIsolated context. If we move COEP:credentialless toward CSP, I am worried the story will be slightly harder to explain to developers. This will looks a bit less canonical. - CSP already expanded very far away from its original essence I am a bit reluctant expanding further in another direction. - COEP is already plumbed toward the CORP check for require-corp. The CORP check also ccheck for both 'require-corp' and 'credentialless'. If we want to convey it with CSP instead, I would have to plumb CSP as well. It's better if we can avoid it. --- > Also, based on the underlying issue driving this, it might be good to segment caches (SW, native) around the "includeCredentials" value, like public and private caches, or use its value as a cache key. (See w3c/ServiceWorker#1592, thanks @annevk for the pointer) I believe you wanted to refer to: https://github.com/whatwg/fetch/issues/1253 instead? If yes, then I totally agree! That's already what Firefox implements. I would be happy to make Chrome converge toward Firefox here. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/582#issuecomment-887487554
Received on Tuesday, 27 July 2021 12:55:24 UTC