Mike West

I was only planning to block `http` and `https` URLs. If it turns out that we can block unencoded `

We plan to ship an implementation of the strategy outlined here in Blink (targeting Chrome 61). I've filed https://bugs.webkit.org/show_bug.cgi?id=172748 and https://bugzilla.mozilla.org/show_bug.cgi?id=1369029 to solicit more feedback from other folks.

I'm asking around in Chromium to see if anyone has time to invest here; it's a good mitigation, and I'd like to get this specified in a way folks can...

+@tyoshino

If we can get away with dropping redirects entirely, I'd be happy too. @jakearchibald might have more context on how we landed on the current behavior?

After some conversations with @annevk, we realized that the existing model of running JavaScript in the middle of a DOM operation was a bad idea; https://github.com/w3c/webappsec-trusted-types/issues/248 walks through the thought...

We've talked about this kind of thing in the past, and got hung up on complexities around reissuing requests without credentials if responses asserted `ACAO: *` (see https://github.com/w3ctag/design-reviews/issues/76). Carving out...

"catastrophicly failing" was hyperbolic, I grant you. :) My suggestion was simply that "anonymous CORS by default" would only work in those cases where no cookie had been set, and...

I do think something like this would be useful, and Node's implementation seems like a reasonable justification for paving the cowpath. If WebKit and Mozilla are also interested, I think...

cc @otherdaniel, who's looking into sniffing (or not) insofar as it impacts ORB.