We've improved our implementation of this feature, and are trying preflights again in Chrome 102 (which started rolling out yesterday). With luck, servers will be a little more tolerant of OPTIONS requests then they were the first time around... :)

@davidcadrian @durumcrustulum If boring was XXtremely fast, this wouldn't be a problem. Clearly, @agl, @davidben__ et al. need to step it up.

@ericlaw Yes. My recollection is that network state had more negative impact than cache partitioning, and also that the team did a fairly intense amount of work to understand those impacts. @miketaylr can likely point you to docs? I'm coming up short. :/

@mnot @yoavweiss I could also follow up on the email I wrote y'all ~4 years ago about running the ID through the independent stream. 🤷 Seems worth asking again whether other vendors are interested, but my strong suspicion is that folks will be (even) less interested in cookie changes these days.

@yoavweiss @mnot 1. It seemed like folks recognized that the core motivation is not a Google problem, but an intranet problem that's relatively common. Still, people don't like cookies. 🤷 2. I think prioritizing secure is in 6265bis:

@yoavweiss I'll take that back a little. People did object to adding complexity, questioned the necessity, and suggested experimenting with the number of cookies per domain instead. See :) But folks did recognize the problem, and a solution would be nice.

@patricktoomey @arturjanc @frgx Ah, hindsight. If CORP hadn't existed at the time we were exploring Spectre mitigations, I think we would have run with something like `COEP: require-cors` initially. I do think that the distinction between ACAO and CORP is meaningful, but probably too nuanced to matter.

@patricktoomey @frgx @arturjanc `COEP: credentialless` and `<iframe credentialless>` strip credentials from cross-origin (as opposed to cross-site) requests, which aligns with the per-origin process model that's necessary to mitigate some kinds of side-channels.

@patricktoomey @arturjanc (Artur is smart. And, happily, prolific. :) )

@domenic Deprecation, unfortunately, is much easier than removal.

@davidcadrian is an approach that I think isn't crazy. I'd change some things if I was writing it today, but the framing still feels right to me.

@zcorpan I agree that this will be a good thing, but a slight nit: `document.domain` will only be a no-op by default. Developers can opt-into its usage by explicitly opting-out of the potential for origin-based isolation via `Origin-Agent-Cluster: ?0`.

@zcorpan @SecurityMB My understanding is that Facebook isn't a blocker. We have run across an apparent bug in Chromium's handling of `Origin-Agent-Cluster` inheritance that's affecting some enterprise applications; it's not clear to me whether we're going to make 114.

RT @w3cdevs: The workshop is presented jointly by @w3c, @theopenssf @owasp, and @openjsf. The event's agenda is built by a PC constituted o…

@garethheyes @sudhanshur705 No worries. Chrome is still working towards shipping it, and no other engine has started on it yet (AFAIK), so there's still some work to do to make it clearly part of the platform. :)

@garethheyes @sudhanshur705 forces a new preflight for all requests that cross a network boundary the browser understands (.

@garethheyes @sudhanshur705 Ideally, this will be more difficult once we ship chrome://flags/#private-network-access-respect-preflight-results.

RT @kcotsneb: #SecWeb on May 25 (co-located with S&P) has an exciting keynote speaker lineup with @arturjanc and Yinzhi Cao. Need a reason…