- From: Nick Doty <notifications@github.com>
- Date: Fri, 19 Aug 2022 14:47:50 -0700
- To: w3ctag/design-reviews <design-reviews@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Friday, 19 August 2022 21:48:03 UTC
Does this provide an easy, dangerous mistake for web developers? Currently, the developer has to delegate the origins specifically: I might decide I want this particular feature to be accessible at `feature.example.com` and I have to make a case-by-case decision whether I want the feature to also be available at `other-service.example.com`. With this change, a developer could be encouraged to just provide the feature to `*.example.com`, which will surely all be subdomains that the developer controls and wants the feature on. Later, when a third-party provider requests a CNAME for a subdomain (`analytics.example.com`), that service automatically gets access to all those features, inadvertently. That is, in your questionnaire answers, you repeatedly note that this isn't creating any new capabilities. But is it encouraging accidental expansion of a capability to potentially many different origins? Does this change introduce a new dependency on the PSL? What happens if the PSL is out of date or a site is accidentally included/not included? -- Reply to this email directly or view it on GitHub: https://github.com/w3ctag/design-reviews/issues/765#issuecomment-1221115603 You are receiving this because you are subscribed to this thread. Message ID: <w3ctag/design-reviews/issues/765/1221115603@github.com>
Received on Friday, 19 August 2022 21:48:03 UTC