Mike West

FWIW, SVG would like `` to work with cross-origin resources: https://github.com/w3c/svgwg/issues/707. No one seems interested in implementing it, but it's been discussed for years.

> Should we explicitly call out the fact that if upgrade-insecure-requests is specified we are unwilling to fall back to HTTP on error like we will if the CSP directive...

@yoavweiss Is the developer feedback provided here enough support to move Arthur's repo to WICG?

If y'all have use cases for exposing your authenticators to workers, we can pretty trivially expose the API there. I don't think we'd want to expose the existing credential types...

I think I agree with @annevk and @achristensen07. This does seem like something we ought to change, and the third option seems like the most robust (and consistent) way of...

> * Concluded that while CORS does give you access to resource-level information (timing + size), it doesn’t currently provide origin-level or network-level information, so we shouldn’t extend its semantics...

I know @sleevi has opinions about exposing certificates to extension APIs, as certificates often include personal information (consider workplace MitM devices, or locally-installed antivirus software: the certificates produced by each...

@mikewest does not like cookies. But @mikewest is also pretty clear on the point that deprecating cookies isn't going to happen tomorrow. Something on the order of years seems like...

Sorry I missed your response earlier in the week, @annevk! > I don't really see how. It seems this will only further cement their use. I don't think we can...

> @mikewest this increases the scope of cookie access to all worker types, not just service workers, and makes it more convenient for documents as well. If your position is...