"Browsers act as though `Cross-Origin-Resource-Policy: cross-origin` is set on every response that lacks an explicit CORP header" is not strictly true

[enricocarraro]

Hi Mike,
In a recent discussion @ddworken mentioned that:

This isn't strictly true since a resource without CORP is guaranteed to not be referenced by a page with precise timers (e.g. SharedArrayBuffers). But at the same time, we don't think that this is sufficient to prevent Spectre attacks so the value of this as a defense is somewhat unclear.

[mikewest]

Right. We hadn't shipped that when I wrote the page, but it's a fair nuance to add today. What text would you suggest to capture it? "browsers mostly act as though"?

[enricocarraro]

Thank you for the quick reply. Yes, and if possible I would add a footnote saying something like:

The only difference being that pages without CORP are guaranteed to not be referenced by a page with precise timers.