This might be a job for Origin Policies: https://wicg.github.io/origin-policy/
-
-
Replying to @slightlylate @voxpelli and
It's all a disaster. I say that from the perspective of someone who came up against this over a decade ago (in-browser ebook reader) and now, at a company where SameSite=None is being liberally applied.
1 reply 0 retweets 1 like -
Replying to @blaine @slightlylate and
XHR/fetch should have had cookies stripped by default (and cross-origin limits removed) ages ago. There are other solutions to port/intranet scanning that could have been solved on the IT side rather than forcing every web dev to deal with the insane complexity.
2 replies 0 retweets 3 likes -
Replying to @blaine @slightlylate and
They've always been cookieless by default, for cross origin requests
1 reply 0 retweets 0 likes -
Replying to @jaffathecake @slightlylate and
But you don't get cross-origin perms. CORS was a mistake.
1 reply 0 retweets 0 likes -
Replying to @blaine @slightlylate and
I'm not sure how else we could have protected intranets, local servers, iot devices etc etc
1 reply 0 retweets 0 likes -
Replying to @jaffathecake @slightlylate and
Off the top of my head, default browser policy: deny any NAT IP range. Add either a browser config and/or network-based (mdns?) policy enforcement. Would be helpful for native mobile OS policy, too.
1 reply 0 retweets 1 like -
Replying to @blaine @jaffathecake and
Basically, give network admins tools to manage policy. Give developers ways to bypass defaults for special cases. Limit things like CORS to exceptional cases (e.g. NAT ranges, etc), not every bloody request on the internet.
1 reply 0 retweets 1 like -
Replying to @blaine @jaffathecake and
The barrier to entry is way too high, and as
@slightlylate says, it vastly limits the capabilities of the web vs native. I don't think it's anyone's fault, but it's worth acknowledging that the current system is a mess and extremely difficult to navigate for anyone but *experts*.0 replies 0 retweets 3 likes
We can add friction! My point is that the terms of this are fungible
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
& Web Standards TL; Blink API OWNER
Named PWAs w/
DMs open. Tweets my own; press@google.com for official comms.