Re: [blink-dev] Intent to Prototype: Web app handle links

2021-10-01 Thread Fabrice Desre
Hi, This functionality looks useful as a user agent feature, but I'm not convinced that it should be added in the manifest. The default behavior when clicking on a link should be to open it in the app that the link is in scope for. The user agent can let users override that behavior with

Re: [blink-dev] Intent to Ship: WebTransport

2021-10-01 Thread Yutaka Hirano
Hi Philip, Sorry for the belated reply. Comments inline: On Thu, Sep 30, 2021 at 7:31 PM Philip Jägenstedt wrote: > Hi again, > > I've made a full pass of the intent now. I have a lot of questions, but am > pretty convinced we should ship this, it's just a matter of what things > need to block

Re: [blink-dev] Intent to Ship: Content-Security-Policy delivery via response headers for dedicated workers.

2021-10-01 Thread Antonio Sartori
On Fri, Oct 1, 2021 at 5:09 PM Chris Harrelson wrote: > One more requirement from my perspective, and one question below. > > Thanks. Replies inline. > On Fri, Oct 1, 2021 at 2:50 AM Yoav Weiss wrote: > >> *LGTM1* >> >> Thank you for doing this analysis! 2/550K is significantly less than 80%

Re: [blink-dev] Intent to Ship: Content-Security-Policy delivery via response headers for dedicated workers.

2021-10-01 Thread Chris Harrelson
One more requirement from my perspective, and one question below. On Fri, Oct 1, 2021 at 2:50 AM Yoav Weiss wrote: > *LGTM1* > > Thank you for doing this analysis! 2/550K is significantly less than 80% :P > > I believe that puts us at ~0.00036%, and the actual number of affected > sites (as

Re: [blink-dev] Intent to Ship: WebTransport

2021-10-01 Thread Martin Thomson
Given where things stand with issue 349, perhaps you might consider excluding that from the implementation. It's an extension that can be added later very easily. On Thu, Sep 30, 2021 at 9:22 PM Mike West wrote: > Like Philip, I think this is a useful mechanism, and I'd like to see it > ship.

Re: [EXTERNAL] Re: [blink-dev] Intent to Implement and Ship: Add support for Promise to Blobs in clipboard item

2021-10-01 Thread Yoav Weiss
On Fri, Oct 1, 2021 at 12:46 PM Anne van Kesteren wrote: > On Fri, Oct 1, 2021 at 12:35 PM Yoav Weiss wrote: > > Thanks Anne and Thomas for the cross-browser context. > > > > Anupam - looking at the issue Anne posted, it seems Firefox explicitly > did not implement this. > > I think it'd be

Re: [EXTERNAL] Re: [blink-dev] Intent to Implement and Ship: Add support for Promise to Blobs in clipboard item

2021-10-01 Thread Anne van Kesteren
On Fri, Oct 1, 2021 at 12:35 PM Yoav Weiss wrote: > Thanks Anne and Thomas for the cross-browser context. > > Anupam - looking at the issue Anne posted, it seems Firefox explicitly did > not implement this. > I think it'd be interesting to get their opinions as to why, and whether we > should

Re: [EXTERNAL] Re: [blink-dev] Intent to Implement and Ship: Add support for Promise to Blobs in clipboard item

2021-10-01 Thread Yoav Weiss
Thanks Anne and Thomas for the cross-browser context. Anupam - looking at the issue Anne posted, it seems Firefox explicitly did not implement this. I think it'd be interesting to get their opinions as to why, and whether

Re: [blink-dev] Intent to Ship: Content-Security-Policy delivery via response headers for dedicated workers.

2021-10-01 Thread Yoav Weiss
*LGTM1* Thank you for doing this analysis! 2/550K is significantly less than 80% :P I believe that puts us at ~0.00036%, and the actual number of affected sites (as opposed to workers) is an order of magnitude lower. Also, there's no particular reason to believe HA is unrepresentative for this

Re: [blink-dev] Intent to Ship: Auto-expand details elements

2021-10-01 Thread Balazs Engedy
Thank you for the detailed differential threat analysis, SGTM from the permissions side. Glad to see the ongoing work on robust and comprehensive mitigations. On Friday, October 1, 2021 at 1:41:54 AM UTC+2 Joey Arhar wrote: > > in anticipation of a future world where the preexisting vectors of

Re: [blink-dev] Intent to Ship: Content-Security-Policy delivery via response headers for dedicated workers.

2021-10-01 Thread Antonio Sartori
Sorry, of course. I just forgot. On Fri, Oct 1, 2021 at 9:30 AM Yoav Weiss wrote: > Thanks!! > > On Fri, Oct 1, 2021 at 9:23 AM Antonio Sartori < > antoniosart...@chromium.org> wrote: > >> I did some more research in httparchive. By filtering out only >> interesting CSPs delivered by workers

Re: [blink-dev] Intent to Ship: Content-Security-Policy delivery via response headers for dedicated workers.

2021-10-01 Thread Yoav Weiss
Thanks!! On Fri, Oct 1, 2021 at 9:23 AM Antonio Sartori wrote: > I did some more research in httparchive. By filtering out only interesting > CSPs delivered by workers and comparing them with their owner document's > CSP, I was left with only two entries (out of the total 457,780 worker >

Re: [blink-dev] Intent to Ship: Content-Security-Policy delivery via response headers for dedicated workers.

2021-10-01 Thread Antonio Sartori
I did some more research in httparchive. By filtering out only interesting CSPs delivered by workers and comparing them with their owner document's CSP, I was left with only two entries (out of the total 457,780 worker requests) which might actually break. The details are in this document