Cross-origin fetches - HTTP 203

  Рет қаралды 39,340

Chrome for Developers

Chrome for Developers

Күн бұрын

Пікірлер: 59
@lele_l
@lele_l 4 жыл бұрын
Http 203 is easily one of my favourite shows on KZbin :D
@nonlogos
@nonlogos 2 жыл бұрын
I need a 3 hr deep dive video on this
@driziiD
@driziiD 4 жыл бұрын
when are we going to give these guys their golden globe award
@wmhilton-old
@wmhilton-old 4 жыл бұрын
I was with you up until CORP and then I got lost 😂. I'll have to rewatch and pause it.
@wmhilton-old
@wmhilton-old 4 жыл бұрын
Alright, got it!
@brentgreeff1115
@brentgreeff1115 4 жыл бұрын
Is it my imagination or has this vid been sped up by 10% or so?
@jakearchibald
@jakearchibald 4 жыл бұрын
Nah, we just talk a bit too fast
@brentgreeff1115
@brentgreeff1115 4 жыл бұрын
@@jakearchibald - I bet 10 Google Bucks its sped up = interesting vid though.
@jakearchibald
@jakearchibald 4 жыл бұрын
​@@brentgreeff1115​ you just lost 10 Google Bucks
@driziiD
@driziiD 4 жыл бұрын
thank you for explaining CORS. I can finally stop having recurring nightmares about it. my therapist will be pleased.
@MaxCoplan
@MaxCoplan 4 жыл бұрын
This was a fantastic episode. I learned a bunch, and now I want more! You should make a bonus episode with all the "boring" details you cut out
@CyberAcidPlanet
@CyberAcidPlanet 4 жыл бұрын
I liked the plot progression in this episode, especially the reveal in the end. Felt like some super villain was defeated!
@IanJamesPhotography
@IanJamesPhotography 4 жыл бұрын
Waited 23 minutes for the dog promised by the video thumbnail. Worth it.
@Zolbat
@Zolbat 4 жыл бұрын
The big try catch block to figure out the correct string to use depending on the version of browser the user has, really reminds me of iOS these days with all the switches depending on what kind of notch phone you have
@jcestibariz
@jcestibariz 4 жыл бұрын
Some reference material: CORP: developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy CORB: www.chromium.org/Home/chromium-security/corb-for-developers nosniff: developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options COEP: wicg.github.io/cross-origin-embedder-policy/
@mustafwm
@mustafwm 4 жыл бұрын
Thanks guys Just one request: If you can assume a bit less knowledge from us next time, that'd be great :) Some of those concepts/examples seemed a bit advanced and were just glanced over, it would have been more helpful if they were explained a bit more. Thanks again :) Looking forward to the tracking episode
@jakearchibald
@jakearchibald 4 жыл бұрын
This is really good feedback, thanks. What kinds of things could have done with more detail? The first half of this episode ran longer than I intended, so I think I rushed the rest, sorry!
@mustafwm
@mustafwm 4 жыл бұрын
@@jakearchibald Thanks for your reply. Actually it's first section that I wish it had more explanation .. those mistakes/risks of current cookies implementation... how sending someone to some form on your website can result in you reading their cookies and causing damage? having an onLoad event on avatar image load? what's potentially being leaked? how's sending the Origin header with POST can prevent that? PS: I really enjoyed the episode, and have learned a lot from you guys here & on twitter (don't mean to be critical here). Thanks :)
@TheNewton
@TheNewton 4 жыл бұрын
​@@jakearchibald With CORS's problems&solutions growing more mazelike, I'm not sure the discussion format alone can demystify it. I think it it has to be vid&handson maybe a walkthrough setup and pentest showing the problem, and not just a subtopic of other things like lab-fetch-api it's own focused lab on webfundamentals( or websecurityfundamentals even) .
@taskforce_kerim
@taskforce_kerim 4 жыл бұрын
@@jakearchibald I think a more detailed explanation or examples of a bad situation would be good. For example, many times it's not exactly clear which site is the evil site. Is it example.com or the site fetching from example.com? If i t's the site fetching from example.com, how can it read the cookie content of example.com? Can site A intercept the get request to site B?
@DenisTRUFFAUT
@DenisTRUFFAUT 4 жыл бұрын
Web workers gonna love Cross-Origin-Embedder-Policy !
@honmameiko1333
@honmameiko1333 4 жыл бұрын
Glad to know the sameSite policy change has been resumed😂
@flightvision
@flightvision 2 жыл бұрын
+1 for a whole episode about unwanted information sharing (tracking) ("Sad User" ;) ). Your topics are always very interesting it is just hard to follow along sometimes as a non-native speaker.
@ancientelevator9
@ancientelevator9 2 жыл бұрын
I feel like you should have introduced the class of problems at the beginning, as well as a walkthrough of some examples.
@TheNewton
@TheNewton 4 жыл бұрын
1:50 pdfs, may be a competitor since mosaic could display them but AFAIK that may only been while on the file path so maybe not a pure sub resource except in however they programmed it to display in a html browser, and ummm actually there was no tag in the spec which probably also rules out any stylesheet prototypes.
@jakearchibald
@jakearchibald 4 жыл бұрын
Yeah, I don't think it was a subresource, just a top-level navigation.
@davidmaxwaterman
@davidmaxwaterman 4 жыл бұрын
What about the problem with losing the cookies (eg sessionid) when your app is added to homescreen on iOS, where your index.html has been cached by the service worker...and/or you're now offline? It works in-browser, but not from homescreen.
@Cookie_Wookie_7
@Cookie_Wookie_7 3 жыл бұрын
When is the cross sure tracking episode
@jakearchibald
@jakearchibald 3 жыл бұрын
Oh yeah, we haven't done this yet (although I've mentioned parts of it in other talks), although there's blog.google/products/ads-commerce/a-more-privacy-first-web if you want to know the latest
@nivoset
@nivoset 4 жыл бұрын
Especially with micro front ends coming up. Something needs to be worked out
@vengateshvaidyanathang550
@vengateshvaidyanathang550 3 жыл бұрын
Guys please provide a gist of entire code at the final minutes..
@nobodyz2700
@nobodyz2700 4 жыл бұрын
yeah... 2020 is pretty bad for breaking changes...
@hobbyturystaSEO
@hobbyturystaSEO 4 жыл бұрын
what about cors at firebase ?
@eduardoreis8500
@eduardoreis8500 4 жыл бұрын
Would you share that presentation?
@api-first
@api-first 4 жыл бұрын
Well, this turned into a reality show quickly ...
@joshuvageorge1678
@joshuvageorge1678 3 жыл бұрын
what is subresource? :
@danielni
@danielni 4 жыл бұрын
So we should still implement CSRF tokens until all browsers support SameSite=Lax?
@jakearchibald
@jakearchibald 4 жыл бұрын
If you're targeting browsers that don't support SameSite, then yes, you'll need an alternative. The Origin header can be simpler than tokens, but again it depends on browser support. Also, this stuff doesn't work if you have GET endpoints that perform actions, but y'know, you shouldn't have those.
@kyay10
@kyay10 4 жыл бұрын
Can you make a video explaining what Meltdown and Spectre is and how it worked and stuff like that? Cuz y'all keep mentioning it, and it honestly sounds pretty interesting!
@jakearchibald
@jakearchibald 4 жыл бұрын
kzbin.info/www/bejne/mnPYqp6omc1-Y6M might do the trick
@MaxCoplan
@MaxCoplan 4 жыл бұрын
@@jakearchibald When will I get my precious SharedArrayBuffers back in all the major browsers 😫? Shoutouts to Chrome at least for getting them back asap, but hard to invest a lot in them without support from WebKit. Cheers
@googleplexer
@googleplexer 4 жыл бұрын
«got me notes» - it’s awesome 😎 😂
@joshkramer2435
@joshkramer2435 4 жыл бұрын
Already subscribed, but Watson got me to click the bell!
@albertodeagostini6143
@albertodeagostini6143 4 жыл бұрын
You should show Watson more often
@CardinalHijack
@CardinalHijack 4 жыл бұрын
Hey Jake, I find it super interesting at 1:35 where you said you were not allowed on the internet, and "nobody knew what the internet was". So I wonder how you got into it? You often find that industry leaders like yourself started coding on a PC when they were around 9 (not that its necessary, but you tend to notice early introduction to tech), so I found it interesting that you seem to state the opposite.
@jakearchibald
@jakearchibald 4 жыл бұрын
I tinkered around with bits of BASIC when I was 7 I guess, but I was more interested in graphical design & animation until I was in my late teens
@CardinalHijack
@CardinalHijack 4 жыл бұрын
Jake Archibald interesting. Thanks for the reply
@Dygear
@Dygear 4 жыл бұрын
CORB-on-the-COB.
@DavidElstob73
@DavidElstob73 4 жыл бұрын
Guys, is it actually possible to Server Push self-hosted fonts? When I add crossorigin my push degrades to a preload. It's super annoying and I can't find a solution. You are my last hope. :)
@jakearchibald
@jakearchibald 4 жыл бұрын
You might be being tripped up by jakearchibald.com/2017/h2-push-tougher-than-i-thought/#requests-without-credentials-use-a-separate-connection. Server push is generally bad.
@danilaplee
@danilaplee 4 жыл бұрын
omg this is such a hot topic!!!
@maistho
@maistho 4 жыл бұрын
That's a lovely dog :)
@frutiboy1
@frutiboy1 3 жыл бұрын
This was hard to learn much from it :,-)
@shobhitchittora2267
@shobhitchittora2267 4 жыл бұрын
Eye opening!
@duncan-dean
@duncan-dean 4 жыл бұрын
Wow nice secret in description.
@gettingthingsdone
@gettingthingsdone 4 жыл бұрын
caring about privacy on the web. working at Google. :D
@davidmaxwaterman
@davidmaxwaterman 4 жыл бұрын
I had to unsubscribe in order to subscribe....ditto for the bell.
@aham3687
@aham3687 4 жыл бұрын
Tongue twister
3.143 ways to synchronize data across documents - HTTP 203
16:21
Chrome for Developers
Рет қаралды 21 М.
WebAssembly Threads - HTTP 203
24:42
Chrome for Developers
Рет қаралды 23 М.
"Идеальное" преступление
0:39
Кик Брейнс
Рет қаралды 1,4 МЛН
She wanted to set me up #shorts by Tsuriki Show
0:56
Tsuriki Show
Рет қаралды 8 МЛН
Surma’s Interop Adventure - HTTP 203
14:43
Chrome for Developers
Рет қаралды 11 М.
Streaming requests with fetch - HTTP 203
22:24
Chrome for Developers
Рет қаралды 37 М.
The main thread is overworked & underpaid (Chrome Dev Summit 2019)
30:06
Chrome for Developers
Рет қаралды 126 М.
Weak JavaScript - HTTP 203
29:22
Chrome for Developers
Рет қаралды 25 М.
Top 10 performance pitfalls - HTTP 203
36:31
Chrome for Developers
Рет қаралды 37 М.
Debugging memory leaks - HTTP 203
22:04
Chrome for Developers
Рет қаралды 47 М.
JavaScript for-loops are… complicated - HTTP203
14:17
Chrome for Developers
Рет қаралды 106 М.
Share Target - HTTP 203
14:49
Chrome for Developers
Рет қаралды 15 М.
JavaScript counters the hard way - HTTP 203
24:08
Chrome for Developers
Рет қаралды 42 М.