| 12:15 | <Noam Rosenthal> | Is there anything we need to protect against when it comes to navigation cross-origin redirects? I know we don't expose the redirect timing itself, but other than that do we consider this a same-origin navigation? (e.g. example.com has a link to auth.com that redirects back to example.com/logged-in) |
| 12:15 | <Noam Rosenthal> | (context: https://github.com/w3c/csswg-drafts/issues/8684) |
| 12:17 | <annevk> | Noam Rosenthal: there are definitely exceptions, but also https://en.wikipedia.org/wiki/Confused_deputy_problem |
| 12:18 | <Noam Rosenthal> | annevk: I know about confused deputy, especially for subresources, trying to understand if and how it applies to navigations |
| 12:21 | <annevk> | It's not very different, e.g., we'll give a different set of cookies |
| 12:27 | <Noam Rosenthal> | ok this is about the fetching itself though. With transitions, I guess the developer could, without any new API, put some info in localStorage, navigate to auth.com, and then when reaching example.com/logged-in check that localStorage entry and history.length and perform their own transition |
| 12:36 | <annevk> | It's probably minor, but the transition could give the end user the impression that all is in order, while in fact there's some form of XSS going on. I'd just not add exceptions. We ended up regretting pretty much all same-origin policy exceptions. |
| 13:06 | <Noam Rosenthal> | annevk: what would be an "exception" here? The current spec I have in mind wouldn't touch fetch, and would just check if old document and new document are the same origin |
| 13:08 | <Noam Rosenthal> | but yea I get the point about "smoothing out" a redirect to the user |
| 13:34 | <Panos Astithas> | PSA: I fixed the future triage calendar events per the discussion in https://github.com/whatwg/html/issues/8942. Let me know if I got anything wrong. |
| 13:40 | <annevk> | Thanks, seems like 2/3 do mismatch with our internal ones, but I can adjust those prolly |