| 01:38 | <sideshowbarker> | foolip: I had meant the Zoom link — but I subsequently realized I could only get that after I registered. When I pinged you, I hadn’t registered yet. But then I registered and was able to get the Zoom link |
| 08:51 | <foolip> | sideshowbarker: oh :) |
| 09:25 | <Luca Casonato> | Can someone confirm that CSP is meant to apply to dedicated workers (with the CSP being determined by the Content-Security-Policy header on the worker entrypoint?). |
| 09:27 | <Luca Casonato> | MDN says this, but testing in the wild seems to suggest otherwise in some scenarios. |
| 09:31 | <annevk> | Luca Casonato: Chrome has had a bug for a long time where that was not the case, but I think it's being fixed per blink-dev |
| 09:38 | <Luca Casonato> | Ah, that explains it. Thanks |
| 09:39 | <Luca Casonato> | For anyone interested, this is the bug to track https://bugs.chromium.org/p/chromium/issues/detail?id=1253267 |
| 13:40 | <Dominic Farolino> | Is request's user-activation bit actually used anywhere? It doesn't seem to be referenced anywhere in HTML or Fetch, besides being set in https://html.spec.whatwg.org/#navigating-across-documents:concept-request-user-activation. But I don't think it is ever read? |
| 13:42 | <Dominic Farolino> | Kinda looks like we just use the hasTransientActivation boolean everywhere instead of the request bit |
| 14:27 | <annevk> | Dominic Farolino: it's read by the Sec-Fetch headers |
| 14:27 | <annevk> | Perhaps that should be clarified in a note or some such as it's indeed somewhat opaque |
| 14:50 | <Dominic Farolino> | annevk: Are you saying request's user-activation bit is ready by Sec-Fetch headers, or hasTransientActivation is? The former only has a single reference in HTML I think |
| 14:50 | <Dominic Farolino> | and that is a setter |
| 14:51 | <annevk> | Anyone else who wants to review server advice for CORS developers? https://github.com/whatwg/fetch/pull/1330 |
| 14:51 | <annevk> | Dominic Farolino: request's user-activation is used by Sec-Fetch-User iirc |
| 14:54 | <Dominic Farolino> | Oof, forgot those were in a separate spec... |
| 14:55 | <annevk> | Yeah I'm not sure that makes a whole lot of sense, but we can fold them in once it starts causing problems |
| 15:38 | <Domenic> | I wish webappssec was more amenable to folding things in... |
| 15:58 | <annevk> | Maintaining things would work for me |
| 18:03 | <freddy> | 🤐 |