Should ORB block application/signed-exchange responses

[anforowicz]

As spec-ed today, ORB will block application/signed-exchange responses. AFAIU this will break some SignedExchangePrefetchBrowserTest browser tests in Chromium. I don't know if there is WPT coverage. At any rate, the broken tests illustrate that Chromium fetches cross-origin SXG responses in no-cors mode today.

I am not sure what is the long-term path for SXG vs ORB. Maybe ORB can allow SXG responses, based on the fact that SXG spec discourages signing of content that depends on authentication status. (Cursory search only found the discouragement in an earlier spec draft here.) OTOH, I also hear that unsigned bundles can contain secret information (this is a link to a security bug in Chromium which is not yet public).

PS. This doesn't block ORB v0.1 in Chromium which still only sniffs for HTML, XML, JSON and therefore won't affect SXG responses.

[annevk]

You could safelist them, but then indeed you cannot host sensitive information in such resources. At least not unless you put additional protection in place.

cc @jyasskin

(There's also the problem of them not being an accepted standard so it's somewhat unclear to what extent ORB should cater to a Chrome-exclusive problem.)