Open annevk opened 2 years ago
The algorithms are much improved right now in terms of passing state into the various methods. Regarding the CSP check @cbiesinger do you know what is the method being used? Right now the check links to the spec itself
not sure what you mean with method? We check against the "connect" policy if that helps. (I guess we should link to https://w3c.github.io/webappsec-csp/#should-block-request maybe?)
Throughout the specification it's very much unclear where certain state in algorithms is pulled from. E.g., https://fedidcg.github.io/FedCM/#fetch-the-manifest does not make it clear it takes a provider as argument (and what the type of that argument is). It also doesn't seem to explain at all where the CSP is coming from that it performs a check with. That would require at least an environment or some such.