COEP and CORP opaque responses #4767
Labels
topic: canvas
topic: cross-origin-embedder-policy
Issues and ideas around the new "require CORP for subresource requests and frames and etc" proposal.
Comments
annevk
added
topic: canvas
topic: cross-origin-embedder-policy
|
I think I have a better solution which I'll put in the PR tomorrow. Namely, when serializing store the COEP state of the agent cluster and check that when deserializing and throw upon going from non-COEP to COEP. That way only the problematic case ends up failing and ImageBitmap created inside a COEP process from CORP opaque resources won't fail. |
|
I still think that's the way to go and is the least invasive, so I'm going to close this, but please do reach out if you have concerns. This isn't set in stone (yet). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Talking with @domenic about #4764 I realized that the fix in #4734 would also affect
ImageBitmapobjects created inside a COEP process. In particular, there can still be opaque responses, but they're "CORP approved".The main question here is whether origin-clean needs to become a tri-state or whether we accept that
ImageBitmapobjects that are not origin-clean cannot be deserialized inside a COEP process. I prefer the latter as the additional complexity does not seem worth it. In case you all agree this can be closed, unless there are more vectors I have not considered or you prefer an alternative design.@whatwg/canvas @whatwg/security @mikewest @mystor @arturjanc @yutakahirano
(Making COEP require CORS would have been easier for this...)
The text was updated successfully, but these errors were encountered: