Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Define how CORP and COEP should work for subresource loading #644

Closed
hayatoito opened this issue Mar 30, 2021 · 3 comments · Fixed by #684
Closed

Define how CORP and COEP should work for subresource loading #644

hayatoito opened this issue Mar 30, 2021 · 3 comments · Fixed by #684
Labels
subresource-loading

Comments

@hayatoito
Copy link
Collaborator

We need to figure out how CORP and COEP should work for Subresource loading with WebBundles.

Chromium side issue is here.
@hayatoito
Copy link
Collaborator Author

Let me start to figure out what is a desired behavior at pretty high level, as a starting point of a discussion.

For the bundle:

CORP and COEP are irrelevant because a browser always use CORS to fetch the bundle.

For the resources within the bundle:

A browser must check a response header of a resource in a bundle.
e.g. The resources within the bundle need "Cross-Origin-Resource-Policy: cross-origin" response header if they are intended for the cross-origin page which has "Cross-Origin-Embedder-Policy: require-corp", and so on.
@ghost
Copy link

ghost commented Apr 3, 2021

Related in whatwg/html
Proposal: Deprecation of "cross-origin-policy" in favor of a declarative network isolation of insecure HTML tags (#6553)
@ghost ghost mentioned this issue Apr 3, 2021
Open
@hayatoito hayatoito mentioned this issue Apr 9, 2021
Open
19 tasks
@irori irori mentioned this issue Sep 28, 2021
Merged
@irori
Copy link
Collaborator

irori commented Sep 28, 2021

For the bundle:

CORP and COEP are irrelevant because a browser always use CORS to fetch the bundle.

For the resources within the bundle:

A browser must check a response header of a resource in a bundle.
e.g. The resources within the bundle need "Cross-Origin-Resource-Policy: cross-origin" response header if they are intended for the cross-origin page which has "Cross-Origin-Embedder-Policy: require-corp", and so on.

I think these are reasonable. Created #684.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
subresource-loading
2 participants
@irori @hayatoito