Titouan Rigoudy

New web features should use HTTPS everywhere by default, so I think the right thing to do is to require HTTPS on every hop. That said, in the spirit of...

Sorry, I think I'm confused. What's the difference between these two statements? > background `attributionsrc` requests are allowed to redirect through insecure origins, but responses for them will not be...

Ah, ok, that makes sense. Thanks! We can indeed trust that the response headers for 3 genuinely came from `secure2.example`, but we cannot trust that `secure1.example` meant to extend its...

Notifying subsequent websites about the error would provide them with some data about other origins involved in the redirect chain. Could an attacker abuse this?

I see. Given that these affect navigation requests, which I believe would carry first-party cookies, it seems a bit dangerous to expose this information cross-origin. If foo.com had some open...