annevk
commented
3 years ago cc @ArthurSonzogni @yutakahirano
Closed zcorpan closed 3 years ago
annevk
commented
3 years ago cc @ArthurSonzogni @yutakahirano
yutakahirano
commented
3 years ago Note: We have a test: https://wpt.fyi/results/html/cross-origin-embedder-policy/no-secure-context.html
Given HTTPS state is removed, we need to check only reservedClient (== top level URL), right?
annevk
commented
3 years ago Yeah, if the top-level environment is a secure context, nested ones will be too.
I think we could make environment a new argument to "obtain an embedder policy", but perhaps this is not great for "check a navigation response's adherence to its embedder policy"? Though in that case it only matters if the parent is a secure context. Perhaps some slight restructuring is in order.
yutakahirano
commented
3 years ago The fix is available at #6336.
https://html.spec.whatwg.org/commit-snapshots/0f2615317684a837150f5fc76b216a66f91427d9/#the-headers-2
In https://github.com/whatwg/html/issues/5164 I noted that COOP required a secure context while COEP did not. That issue was then merged into https://github.com/whatwg/html/issues/4930 and there were some changes to "HTTPS state", but as far as I can tell there's nothing in the spec that checks for HTTPS for COEP currently.
Opening this issue per discussion with @annevk on IRC.