Re: [whatwg/fetch] Allow timing reporting with origin (for iframes) (PR #1388) from Noam Rosenthal on 2022-03-10 (public-webapps-github@w3.org from March 2022)

From: Noam Rosenthal <notifications@github.com>
Date: Thu, 10 Mar 2022 03:41:40 -0800
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1388/c1063966350@github.com>

> So you can end up with that scenario when the cross-origin isolated capability is not delegated through Permissions Policy. Is the problem here that we use the capability of the parent and not the child? It seems that's what we should address somehow, right?

We use the capability of the child and not the parent I believe, based on the global object used as the fetch client. Thinking to address this inside resource timing rather than here - to make sure the global object at the time of accessing properties has a chance to coarse.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1388#issuecomment-1063966350
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/fetch/pull/1388/c1063966350@github.com>

Received on Thursday, 10 March 2022 11:41:52 UTC