| 03:07 | <Krinkle> | I'm trying to find out what the spec says about SameSite=Lax/Strict in relation to valid CORS cross-origin requests (e.g. fetch with mode:cors,credentials:include where the remote url responds with my origin). |
| 03:07 | <Krinkle> | It seems that if the other website ack's my origin as beloning to it (e.g. foo.org vs bar.org, not sharing a public prefix + 1), there would be no need to hold back its cookies |
| 03:08 | <Krinkle> | on the other hand, the language of SameSite=Strict is quite.. strict. |
| 03:12 | <Krinkle> | I find no mention of SameSite in Fetch/CORS related pages, and no mention of CORS on any SameSite related explainers/articles/announcements/RFC specs etc |
| 04:46 | <annevk> | Krinkle: they are completely separate |
| 05:57 | <annevk> | Krinkle: and with the various third-party blocking/partitioning efforts going on I would not expect that to change |
| 10:39 | <fernando_> | Hi |
| 10:40 | <fernando_> | I've a question about the document |
| 10:40 | <fernando_> | in encoding.spec.whatwg.org/#concept-stream-read |
| 10:41 | <fernando_> | it says "The serialize stream algorithm (...) runs these steps: " |
| 10:41 | <fernando_> | "Let output be the empty string" |
| 10:41 | <fernando_> | I understand that if the algorithm returns a string, It should not be called "serialize" but "unserialize" |
| 10:42 | <fernando_> | Isn't it? |
| 10:42 | <fernando_> | thanks |
| 12:07 | <Krinkle> | annevk: separate in so far that when SameSite Site strict says it won't be sent on requests from another origin that CORS has no influence on it? It seems odd if my only choices were to expose cookies to all or none, eg not same origin plus trusted ones via CORS. |
| 12:08 | <Krinkle> | Given there has been little to no talk an the two I've either found something forgotten or I'm just missing something obvious/ probably the latter :) |
| 13:04 | <gsnedders> | TabAtkins: how comes Travis CI doesn't run on PRs for Bikeshed? :( |
| 14:29 | <annevk> | Krinkle: CORS does not protect the request |
| 14:56 | <Krinkle> | annevk: maybe I'm using the wrong terminology. By "cors" I mean a cross-domain request that is blocked unless the preflight request confirms the destination responds with "Origin: https://<requestor>". |
| 14:57 | <Krinkle> | But I suppose there's still ways to make that request even without cors protection, it just means you can't get the result, e.g. via <form> submission to a frame or <img> etc. |
| 14:57 | <Krinkle> | I'll have to think about that, but yeah, so req cookies sent and resp cookies readable aren't the same thing. I forgot about that. |
| 18:51 | <travisleithead> | Anyone have any background on the Note added by hixie in 2008 (commit 96b43465a8a) related to multiline [text] layout in 2d canvas: "A future version of the 2D context API may provide a way to render fragments of documents, rendered using CSS, straight to the canvas. This would be provided in preference to a dedicated way of doing multiline layout." |
| 18:53 | <travisleithead> | I have customers asking for such a thing (multiline [text] support in 2d canvas), so wanted to understand the latest thinking here. |
| 20:25 | <annevk> | Krinkle: browsers also want to stop sending third party cookies entirely |
| 20:27 | <annevk> | travisleithead: that was an idea from roc iirc that Fx has an internal impl of, but making it work in a way where you can still read pixels is really hard so I’d not take that note to mean much |
| 23:53 | <travisleithead> | annevk: thanks! good to know. |