Mike West

I do think these are the kinds of hardening steps we'll want to take once we've limited the exposure of resources into an attacker's process. This includes both server-side reevaluation...

I'm archiving this repo. I think this issue was dealt with by `[CrossOriginIsolated]`?

Reviewing this as part of the I2S you published a few days ago: the spec text you landed on in https://github.com/w3c/secure-payment-confirmation/pull/233 doesn't say much of anything about the characteristics that...

Hey @stephenmcgruer, thanks for the response! > We could incorporate them into the spec as non-normative requirements (as you note, as a set of considerations), but we followed the lead...

Thanks @nickburris, that generally answers my questions. I think it would be ideal to spell these considerations out a bit more in the specification, but I appreciate you walking me...

@otherdaniel can almost certainly help here.

I'm assuming that the proxy configuration of a given user agent is outside the scope of Fetch, so I'm mostly concerned with requests triggered by websites. I agree, though, that...

@yutakahirano: > Will private networks be covered by https://github.com/wicg/private-network-access? Ideally, yes, but that seems somewhat orthogonal to the question here. > Is it reasonable to require CORS preflights for requests...

> If you're a man-in-the-middle attacker, you can respond to DNS lookups to wpad to get users to use your own PAC script. This feature that is only really targeted...

> Once a PAC script is injected, it can make requests for http://some_host:80/ to http://local.domain: by setting that as a proxy for those requests. This would bypass both the port...