Ben Kelly
Ben Kelly
Currently VARY is not a cors-safelisted header: https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name This means that VARY header matching in cache_storage will not work by default for cors responses. Is this intended? Servers can opt-in...
Forking this from #1321 where we are planning to propagate the origin field on requests when a service worker does `evt.respondWith(fetch(evt.request))`. In order for the correct SameSite cookies to be...
As discussed in #1321 we want to propagate the internal origin field when a Request constructor copies another request without modifying it. One of the reasons for this is so...
Currently we expose a `Sec-Fetch-Site` header to servers, but hide this information from service workers. The `Sec-Fetch-Site` and `origin` headers are not populated until after the FetchEvent is handled by...
Currently we have a number of request headers and getters that describe the initiator of the request. Some of these are security sensitive; e.g. origin and sec-fetch-site. This works well...
Talking with @trevnorris, it sounds like it would be useful to allow a stream to be removed from a pipeline as an optimization. For example, if `a.pipeThrough(b).pipeTo(c)`, remove `b` at...
The explainer currently suggests that a store review prompt should be offered for PWAs that were not installed from a store: https://github.com/MicrosoftEdge/MSEdgeExplainers/blob/main/RatingsAndReviewsPrompt/explainer.md#choosing-which-app-catalogs-to-offer This seems like a quite bad experience for...
I'm a bit confused by the fingerprinting section. Any js that can inspect cache_storage can also write into it. This means js that wants to do some kind of tracking...
The c++ native implementation now has a URLPattern.compareComponent() static method. See: * https://bugs.chromium.org/p/chromium/issues/detail?id=1232795 * https://github.com/WICG/urlpattern/issues/61 This part of the API is not as stable as the rest and may still...