Re: [w3c/ServiceWorker] `CacheStorage` & `COEP:credentialless` (#1592) from Arthur Sonzogni on 2021-05-31 (public-webapps-github@w3.org from May 2021)

From: Arthur Sonzogni <notifications@github.com>
Date: Mon, 31 May 2021 01:22:16 -0700
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/ServiceWorker/issues/1592/851308276@github.com>

Hi I am back from vacation. I prototyped what was discussed in [Chrome](https://chromium-review.googlesource.com/c/chromium/src/+/2886899

) and modified the [fetch PR](https://github.com/whatwg/fetch/pull/1229/files#diff-b4827ee42aceaf9dc3e7216f72262d81c32217e9996fb70a657f259e3ac92604L3424) accordingly. The interesting part is the CORP check:

From:

4. If policy is null and embedderPolicyValue is `require-corp`, set policy to `same-origin`

To:

4. If policy is null, switch on embedderPolicyValue:
- `unsafe-none`
- `credentialless`
  Set policy to `same-origin` if one of the following is true:
  - **response’s `request-include-credentials` is true and response’s type is `opaque`.**
  - forNavigation is true.
- `require-corp`
  Set policy to `same-origin`.

This change passes all the test cases defined from the [table](https://github.com/w3c/ServiceWorker/issues/1592#issuecomment-841125853) above,  and the corresponding [WPT](https://github.com/web-platform-tests/wpt/blob/master/html/cross-origin-embedder-policy/credentialless/cache-storage.tentative.https.html).
This requires CORP when opaque responses are containing credentials (only possible via CacheStorage).

I believe I am happy with that. What about you?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1592#issuecomment-851308276

Received on Monday, 31 May 2021 08:22:47 UTC