| 22 Sep 2021 |
 Jake Archibald | Ta! | 13:07:35 |
 annevk | Yeah exactly. Still not quite arbitrary bytes so maybe we should have drawn a harder line there. In the early days of CORS this didn't get as much consideration as it probably should have. | 13:08:24 |
 Andreu Botella (he/they) | text/plain form payloads are /^.*=.*\r\n$/, which IMO doesn't merit a harder line | 13:15:02 |
| annevk | Fair, you can do a lot with ASCII. 😊 | 13:19:16 |
 Domenic | In reply to @annevk:mozilla.org
Domenic: you didn't weigh in yet, but are you okay with merging credentialless with the added warning? Yeah for sure. One option I was thinking of is that we could mandate that "concrete" COI is not used with credentialless without PNA/ORB, but I'm on the fence there. | 14:44:56 |
| 23 Sep 2021 |
|  Ahmad Ajmi joined the room. | 02:23:58 |
| annevk | Luca Casonato: did you see https://github.com/heycam/webidl/pull/526? I'm somewhat curious what Deno/Node.js make out of ShadowRealms and the additional "non"-JS globals to be exposed therein | 07:08:14 |
 Luca Casonato | Going to be a pain to implement I imagine (still not 100% clear on the scope of globals available in ShadowRealms). Generally seems fine though | 07:40:02 |
 Ms2ger 💉💉 | Nobody's clear on the scope right now :) | 07:40:27 |
| Luca Casonato | Ah good, not just me then 😅 | 07:40:47 |
|  ryzokuken changed their display name from ryzokuken (back on 23rd) to ryzokuken. | 08:02:07 |
| annevk | sideshowbarker: happy b-day 🎂 \o/ | 08:09:08 |
 sideshowbarker | In reply to @annevk:mozilla.org
sideshowbarker: happy b-day 🎂 \o/ Thanks 🥳 | 08:12:31 |
| Ms2ger 💉💉 | 🎉 | 08:13:51 |
| Luca Casonato | Happy birthday! | 08:15:31 |
| Jake Archibald | Yay happy birthday sideshowbarker! | 11:50:26 |
| Jake Archibald | annevk: Why do we disallow isolated pages from postMessageing non-isolated pages? I don't see the security issue, since the same stuff can be laundered through storage | 11:52:47 |
| annevk | Jake Archibald: it's not disallowed per se, but you cannot get hold of a WindowProxy across that boundary | 11:57:14 |
| Jake Archibald | annevk: Ahh, so it's just a side-effect of disconnecting the proxy? So BroadcastChannel still works between isolated and non-isolated pages?
Sorry, I'm trying to figure out how the reporting side of this works and I'm finding the spec quite dense 😄
| 11:59:01 |
| annevk | Jake Archibald: closing the browsing context, yes; BC ought to work, like storage it only uses origins; postMessage with service/shared workers would work too (although you cannot always get SAB across of course) | 12:01:30 |
| Ms2ger 💉💉 | BC is a dangerous acronym in this context | 12:01:54 |
| Jake Archibald | hah | 12:02:01 |
| Jake Archibald | cross-BC BC | 12:02:26 |
| annevk | I don't understand how Chrome shipped EyeDropper and nobody seemingly looked at the open issues with the spec. And it seems the TAG mainly focused on API shape and not security... | 12:05:00 |
| annevk | Ah, I guess some of those issues were opened after it was already approved... | 12:09:10 |
| Jake Archibald | annevk I'm struggling to figure out step 2 of https://html.spec.whatwg.org/multipage/origin.html#check-browsing-context-group-switch-coop-value. What is it allowing? An isolated page to create a popup to a non-isolated page? | 16:43:03 |
| annevk | Jake Archibald: that's more about COOP and not COOP+COEP | 16:51:13 |
| annevk | Jake Archibald: if you have COOP but allow popups, this ensures no replacement happens for the popup, unless the popup itself has a COOP | 16:52:04 |
| Jake Archibald | Taaaa | 16:52:36 |
| Jake Archibald | annevk really appreciate all the help with this | 16:53:02 |
