Ben Kelly

Riffing on @yutakahirano's query parameters issue, if a response has a VARY header an attacker could request the url with a different set of matching request headers. I believe most...

What does xhr do today when used from a refreshed document? How about dynamically created img and script elements? I personally don't like adding this global state since the spec...

> I think the reason for this proposal is giving the users control over what behavior fetch() has (as opposed to the developer), similar to what browsers currently are doing...

What version of chrome are you testing in?

I cannot reproduce. 1. Set "block all third-party cookies" on chrome://settings/trackingProtection 2. Reload www.figma.com 3. Observe no devtools issue with text "Third-party websites are allowed to read cookies on this...

The movie does not show the figma tab being reloaded after changing the cookie setting. Did you try that? Also, can you please show your chrome://flags page?

Have you added a cookie exception by clicking this icon in the omnibox?  You would then see something in chrome://settings/trackingProtection like this: 

It seems possible your enterprise admin is applying a cookie exception via an enterprise policy.

You can observe enterprise policies on chrome://policy. Look for an entry with the policy name "CookiesAllowedForUrls".

I still can't reproduce this. Even with the editor link above the devtools warnings still go away when I block all 3P cookies and reload the figma tab. Instead I...