WHATWG on 2022-05-14

01:30	<Domenic>	A question someone has surely asked before... if I, a subresource host, have already granted cross-origin read access with `Access-Control-Allow-Origin: `, why would I ever not* want to grant embed access via `Cross-Origin-Resource-Policy: cross-origin`? IIRC it has to do with how CORS also impacts the requests. (Which you can most easily see when preflights are required.) If you do a "no-cors" request (e.g. <img>, not <img crossorigin>) and get back ACAO: *, what does that mean? Saying that it roughly means CORP: cross-origin is a bit strange/maybe broken in some more specific way I can't think of right now.
06:49	<Noam Rosenthal>	Eric Portis (he/him): ACAO/CORS allows you to make a decision of what data to send based on the origin of the request. e.g. you can send a different response if your data is requested by `origin-a.com` and `origin-b.com`, because CORS requests contain the `Origin` header. CORP is more like a fallback to still allow embedding the content even without knowing the origin.
06:51	<Noam Rosenthal>	Having `Access-Control-Allow-Origin: ` doesn't mean that you send all/the same data to every origin, while `Cross-Origin-Resource-Policy: ` kind of does, but for the latter the use of the resource is limited (showing the image, using it in timing-attack-prone situations but not read the data directly)
06:54	<Noam Rosenthal>	Having both without extra checks means "If I know the origin of the request then allow reading this data, and also allow embedding it even if I don't know the origin". It's not too redundant