Mike West

What are you thinking about with regard to `Response`? I agree that this is something that should be dealt with at a centralized location rather than monkeypatching a variety of...

Addressed the two nits. Still curious about the `Response` note.

Also happening for https://chromestatus.com/feature/5189079788683264's origin trial privacy flag.

Given current browser support, StrictCSP is the only thing we could require. I agree that that has limitations, and that Trusted Types would address many of them, but I don't...

> If we decide to go with Strict CSP only, is there a possibility to expand to add Trusted Types in the future? Not easily, as it would be a...

I'm archiving this repo, and moving the injection discussion to https://mikewest.github.io/injection-mitigated/. I think this issue in particular is less-relevant given happenings in the intervening years, but if there's still something...

cc @annevk for thoughts from the Fetch perspective, as I think folks are interested in starting to poke at an implementation in Chromium.

The secure context spec generally breaks the link between "secure enough" `SharedWorker` instances. See https://www.w3.org/TR/secure-contexts/#example-2829bc67 and https://www.w3.org/TR/secure-contexts/#monkey-patching-shared-workers. Presumably we'd update that to include these types of secureness as well. `BroadcastChannel`...

Great. I'll mark this as a documentation bug to make sure we incorporate it into the security considerations section of whatever spec we end up writing.

I'm archiving this repo. I'm not entirely sure where I'd direct you for this issue. Perhaps https://www.w3.org/TR/post-spectre-webdev/?