Mike West

Site-level process isolation does provide a hard and real boundary, but it pretty clearly falls into the same traps as the rest of the PSL usage, insofar as it defaults...

/cc @annevk who's been thinking about this from Mozilla's perspective. I filed https://github.com/mozilla/standards-positions/issues/517 in the hopes of getting an official position.

I think this breaks into two pieces: the one piece governs the cross-origin serialization (this issue), the other governs access to cross-origin frames (deprecating `document.domain`). It seems reasonable to me...

We're reducing the problem to `document.domain`, which both chips away at the underlying problem, and prevents folks from adopting patterns we're aiming to remove. That doesn't _solve_ the problem, but...

Skimming that PR, I think we're talking about the same checks. I simply disagree with your conclusion in https://github.com/whatwg/html/pull/4940#issuecomment-562181998.

I'd like something like it in Bikeshed, as it's implicitly what I'm doing in a lot of specs anyway. It doesn't look like the patch @domenic referenced actually landed in...

FWIW, some kind of type checking (even something as small as counting the number of arguments) would have prevented me from making the refactoring mistake in https://github.com/w3c/webappsec-csp/pull/105#discussion_r74672732.

I agree with @annevk and @beverloo: let's restrict the `icon` and `image` options to secure resources. That is both the simplest solution, and the most forward-compatible with a secure web...

@mozfreddyb, @fmarier, @metromoxie, and @devd are the "SRI folks". :) @otherdaniel might also have thoughts. Also, https://tools.ietf.org/html/draft-thomson-http-mice-03 is relevant.

I haven't reviewed the proposal in detail, but based on the suggested attack surface above, it does seem pretty reasonable to force resources to opt-into inclusion in an environment that...