-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rationalize Resource-Timing opt-ins with CORS/CORP #240
Comments
I think we also questioned whether TAO can be reasonably interpreted as giving you access to network-level data. That still seems strange to me, given that it reveals data about conditions well beyond a given server's control.
I believe @arturjanc and @camillelamy remain convinced of the position that cross-origin isolation (e.g. COOP+COEP+CORP) should be seen as enabling both embedding and reading no-cors responses that pass through CORB. I'm more skeptical, but my arguments aren't as convincing as I'd like them to be. I think the question becomes a little harder if we try to push for a cross-origin isolation mechanism that doesn't require opt-in (e.g. the credentiallessness proposal we floated a ~week ago). We should probably summarize this discussion somewhere public. |
Hmm, there's a reason COEP uses CORP and not CORS. Or does "reading" not mean what I think it does? And on the other side, I'm surprised that TAO would not a subset of CORS. That always seemed fairly okay to me. But maybe the concern here is indeed more about what TAO should give access to, as Mike indicates. |
Our reasoning is abased on the fact that most of the information about CORP mentions that if you set it to cross-origin, cross-origin resources can read your resource. Eg. MDN: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy_(CORP) So at that point, it would seem that the expectations for a developer that were set is that CORP cross-origin does allow other origins to read the resource. There's a caveat to that with subframes in SiteIsolation world, where CORP clearly doesn't grant readability. However, for regular subresources, we found that the line between readability and just embeddability was hard to draw and maintain. |
Shouldn't the documentation be fixed? As it doesn't really give you the same level of access as CORS. You cannot paint a CORP cross-origin image on canvas and then export it, for instance. The ability to embed/use seems exactly right. |
Everyone on this thread has already seen and contributed to the doc, but for completeness: The question of whether CORP should be treated as legibility or embeddability, and the consequences of each interpretation, is currently being discussed in the Notes on the threat model of cross-origin isolation doc (PDF). |
Following a mailing list discussion and TPAC session, I'm opening up this issue to continue discussion.
At the TPAC session, we:
/cc @arturjanc @mikewest @camillelamy @annevk
The text was updated successfully, but these errors were encountered: