Anne van Kesteren
Anne van Kesteren
As discussed in https://github.com/whatwg/html/issues/6468 it's not clear to me how HLS doesn't allow a complete bypass of ORB. And that's because the origins of the resources the HLS resource points...
> It has powerful range primitives, but is also expecting the media data to be complete within each chunk (rather than allowing arbitrary concatenation). Can you elaborate on what this...
I was hoping we would never update the sniffing algorithm and require MIME types for new media types that have a different signature (AVIF reuses an existing signature as it...
Closing this as I think this is agreed upon. https://github.com/w3ctag/design-principles/pull/263 also documents this.
I think we have two options: 1. Safelist the MIME type. 2. Require folks use CORS (and also enforce the MIME type). I somewhat prefer the latter for anything new,...
It would mean that `image/jxl` would not work cross-origin by default. This would be similar to module scripts. As for AVIF, it's my understanding it fits within https://mimesniff.spec.whatwg.org/#matching-an-audio-or-video-type-pattern. It's the...
That's a good point, that would have to not work.
The concrete benefit is limiting the data that can leak across origins. I.e., it would mean that correctly labeled image/jxl images are safe from a certain class of attacks. I...
The purpose of ORB is that the formats that are not protected are on a small list. What you seem to be asking for is extending that list. Stated another...
There's no CORS preflight for credentialed GETs. And again, I'm not saying an exception cannot be made, but that it has to be conscious and with a path forward.