Consider a variant for static sites about baseline-header HOT 1 OPEN

Understood, and thanks for the feedback!

With a security hat on, I'd prefer for the platform's defaults to assume the worst, and fail closed. It's worse, in my mind, for a developer's inaction to accidentally expose user data than for data to be less-sharable than the developer would prefer. I think that preference is justifiable as more user data becomes potentially web-exposed; truly public documents were the web when it began. I'm not sure they are today.

For those documents, though, you want your site to be frameable, embeddable, openable, and so on. I think it would be excellent to give you a clear path towards doing exactly that! Today, that path is simply a bit faster than I'd prefer. :)

Instead, I'd like for you to add something like X-Frame-Options: ALLOWALL to enable embedding (https://github.com/mikewest/embedding-requires-opt-in), and Cross-Origin-Opener-Policy: unsafe-none (or restrict-properties if we can get that defined and shipped) if you want to give cross-origin documents your window handle (https://github.com/mikewest/coop-by-default), and Cross-Origin-Resource-Policy: cross-origin if you want people to be able to make no-cors requests to your origin. The Baseline propsal doesn't even go that far, however. It simply suggests that developers should be able to opt-into a baseline for their site that's defensive by default, as opposed to the status quo baseline, which isn't.

If you opted into a more defensive baseline, and then opted-out of most/all of that baseline's protections for your public documents by declaring them public (maybe even with a fast-path like we've discussed in whatwg/html#8143), I promise not to tell you you're doing it wrong. :)

from baseline-header.