You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If there are any concerns around From-Origin as outlined at whatwg/fetch#687 that'd be good to know.
There's also an alternative proposed in that thread: an Origin header that's included for every request. My concern with that header is that it makes referrer leaking worse, unless we restrict it to revealing one of same-origin, same-site, or cross-site.
(An architectural question here is that this is yet another piece of web infrastructure proposing a dependency on Public Suffix. Given that WebAuthn does it too, I kinda think we've already taken the decision to embrace it, but it's worth calling out.)
The text was updated successfully, but these errors were encountered:
We've discussed this internally and those partaking in that discussion agreed on worth prototyping as a position, provided the feature only affects whether the fetch in question succeeds or fails and has no side effects beyond that.
If there are any concerns around From-Origin as outlined at whatwg/fetch#687 that'd be good to know.
There's also an alternative proposed in that thread: an
Origin
header that's included for every request. My concern with that header is that it makes referrer leaking worse, unless we restrict it to revealing one of same-origin, same-site, or cross-site.(An architectural question here is that this is yet another piece of web infrastructure proposing a dependency on Public Suffix. Given that WebAuthn does it too, I kinda think we've already taken the decision to embrace it, but it's worth calling out.)
The text was updated successfully, but these errors were encountered: