From 7778db5bd3a37e74ee78333140923504e7e96e05 Mon Sep 17 00:00:00 2001 From: Chris Fredrickson Date: Sun, 5 May 2024 15:29:48 -0400 Subject: [PATCH] Fix typo --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f1a8076..f1a6d54 100644 --- a/README.md +++ b/README.md @@ -173,7 +173,7 @@ However, the `Sec-Fetch-Storage-Access` and `Activate-Storage-Access` headers do ### CORS integration -It is tempting to design this functionality such that it piggy-backs and/or integrates with CORS directly, since CORS intuitively feels like it is menat to address a similar problem of enabling cross-origin functionality. However, this would be undesirable for a few reasons: +It is tempting to design this functionality such that it piggy-backs and/or integrates with CORS directly, since CORS intuitively feels like it is meant to address a similar problem of enabling cross-origin functionality. However, this would be undesirable for a few reasons: * If CORS (and the relevant SAA permission, of course) were a "sufficient" condition for attaching unpartitioned cookies... * Then this would allow the top-level site to attack the embedded site by sending (CORS-enabled) credentialed requests to arbitrary endpoints on the embedded site, without requiring any opt-in from the embedded site before it received those requests. This would make CSRF attacks against the embedded site more feasible. This is undesirable for security reasons.