- From: Arthur Sonzogni <notifications@github.com>
- Date: Tue, 15 Jun 2021 01:04:33 -0700
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Tuesday, 15 June 2021 08:05:01 UTC
_topic:coep-credentialless_ The request's includeCredentials isn't part of the HTTP cache key. It means if: - `a.com` requests `c.com` with credentials, - `b.com` requests `c.com` **without** credentials Then both `a.com` and `b.com` will get a response requested **with** credentials. This seems problematic in general. The request's credential mode is not respected, and `a.com` influences directly `b.com`. The partitioned HTTP cache will fixe one of the two problem. With COEP:credentialless, we obviously don't want to request a resource without credentials and get a response with credentials. That would be a security issue. ([tentative WPT](https://chromium-review.googlesource.com/c/chromium/src/+/2961290/2/third_party/blink/web_tests/external/wpt/html/cross-origin-embedder-policy/credentialless/cache.tentative.html)) One obvious solution would be to add this flag to the [HTTP cache key](https://fetch.spec.whatwg.org/#http-cache-partitions). Not sure if there are alternatives and what would be the potentials drawback to this. Happy to get your opinions. +CC @whatwg/cross-origin-isolation -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/1253
Received on Tuesday, 15 June 2021 08:05:01 UTC