Should we have TAO * even for static subresources?

w3c / webappsec-post-spectre-webdev

Post-Spectre Web Development

https://w3c.github.io/webappsec-post-spectre-webdev/

Other

17 stars 3 forks source link

Should we have TAO * even for static subresources? #4

Open camillelamy opened 3 years ago

camillelamy commented 3 years ago

Since TAO also applies to non-resource specific content, but to things more related to server or network status.

mikewest commented 3 years ago

I don't think TAO should grant access to things the server can't control or know. We talked to @yoavweiss about this a few months ago, but I don't think there's been any movement. WDYT, Yoav?