Comments (1)
Understood, and thanks for the feedback!
With a security hat on, I'd prefer for the platform's defaults to assume the worst, and fail closed. It's worse, in my mind, for a developer's inaction to accidentally expose user data than for data to be less-sharable than the developer would prefer. I think that preference is justifiable as more user data becomes potentially web-exposed; truly public documents were the web when it began. I'm not sure they are today.
For those documents, though, you want your site to be frameable, embeddable, openable, and so on. I think it would be excellent to give you a clear path towards doing exactly that! Today, that path is simply a bit faster than I'd prefer. :)
Instead, I'd like for you to add something like X-Frame-Options: ALLOWALL
to enable embedding (https://github.com/mikewest/embedding-requires-opt-in), and Cross-Origin-Opener-Policy: unsafe-none
(or restrict-properties
if we can get that defined and shipped) if you want to give cross-origin documents your window handle (https://github.com/mikewest/coop-by-default), and Cross-Origin-Resource-Policy: cross-origin
if you want people to be able to make no-cors requests to your origin. The Baseline
propsal doesn't even go that far, however. It simply suggests that developers should be able to opt-into a baseline for their site that's defensive by default, as opposed to the status quo baseline, which isn't.
If you opted into a more defensive baseline, and then opted-out of most/all of that baseline's protections for your public documents by declaring them public (maybe even with a fast-path like we've discussed in whatwg/html#8143), I promise not to tell you you're doing it wrong. :)
from baseline-header.
Related Issues (2)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from baseline-header.