Alright, got it!

Is it my imagination or has this vid been sped up by 10% or so?

Nah, we just talk a bit too fast

@@jakearchibald - I bet 10 Google Bucks its sped up = interesting vid though.

​@@brentgreeff1115​ you just lost 10 Google Bucks

This is really good feedback, thanks. What kinds of things could have done with more detail? The first half of this episode ran longer than I intended, so I think I rushed the rest, sorry!

@@jakearchibald Thanks for your reply. Actually it's first section that I wish it had more explanation .. those mistakes/risks of current cookies implementation... how sending someone to some form on your website can result in you reading their cookies and causing damage? having an onLoad event on avatar image load? what's potentially being leaked? how's sending the Origin header with POST can prevent that? PS: I really enjoyed the episode, and have learned a lot from you guys here & on twitter (don't mean to be critical here). Thanks :)

​@@jakearchibald With CORS's problems&solutions growing more mazelike, I'm not sure the discussion format alone can demystify it. I think it it has to be vid&handson maybe a walkthrough setup and pentest showing the problem, and not just a subtopic of other things like lab-fetch-api it's own focused lab on webfundamentals( or websecurityfundamentals even) .

@@jakearchibald I think a more detailed explanation or examples of a bad situation would be good. For example, many times it's not exactly clear which site is the evil site. Is it example.com or the site fetching from example.com? If i t's the site fetching from example.com, how can it read the cookie content of example.com? Can site A intercept the get request to site B?

Yeah, I don't think it was a subresource, just a top-level navigation.

If you're targeting browsers that don't support SameSite, then yes, you'll need an alternative. The Origin header can be simpler than tokens, but again it depends on browser support. Also, this stuff doesn't work if you have GET endpoints that perform actions, but y'know, you shouldn't have those.

kzbin.info/www/bejne/mnPYqp6omc1-Y6M might do the trick

@@jakearchibald When will I get my precious SharedArrayBuffers back in all the major browsers 😫? Shoutouts to Chrome at least for getting them back asap, but hard to invest a lot in them without support from WebKit. Cheers

Oh yeah, we haven't done this yet (although I've mentioned parts of it in other talks), although there's blog.google/products/ads-commerce/a-more-privacy-first-web if you want to know the latest

I tinkered around with bits of BASIC when I was 7 I guess, but I was more interested in graphical design & animation until I was in my late teens

Jake Archibald interesting. Thanks for the reply

You might be being tripped up by jakearchibald.com/2017/h2-push-tougher-than-i-thought/#requests-without-credentials-use-a-separate-connection. Server push is generally bad.