Matt Menke

The reason for additional keys is to protect spying across cross-site frames in the same tab, which is much more a security issue than a privacy one. Sites can coordinate...

Do you mean SWs are more vulnerable than the non-SW behavior where they previously were not (which is true-ish, assuming SW's aren't currently more vulnerable than the non-SW case), or...

I suspect that would be more disruptive than my change (which was deliberately scoped very narrowly, and generated no bug reports for Chrome, at least). This could break both domain...

I don't claim to be an expert on what MIME sniffing should actually do, but yes, my reading is also that Chrome does not sniff responses with a text/html content-type....

I think having vague 2-line descriptions in place of the full ~4-line descriptions that https://www.chromium.org/blink/launching-features/ has is not useful. I think it would be better to either duplicate their text...

> > Caching: not sure. Perhaps cached entries never have trailers? > > [RFC9111](https://httpwg.org/specs/rfc9111.html#storing.fields): > > > Caches MAY either store trailer fields separate from header fields or discard them....

Given that proxy autoconfig remains enabled by default on Windows, I think we'll likely need to continue using the same blacklist for proxies, in practice.

> @MattMenke2: > > > Given that proxy autoconfig remains enabled by default on Windows, I think we'll likely need to continue using the same blacklist for proxies, in practice....

Once a PAC script is injected, it can make requests for http://some_host:80/ to http://local.domain: by setting that as a proxy for those requests. This would bypass both the port blacklist...

Quick clarification: That's not a malicious proxy, but a malicious PAC script. There doesn't need to be any actual proxy in that scenario, the browser just needs to think it's...