[ohazi]

I'm conflicted.

On the one hand, this looks way too complicated, and I predict web devs are going to be confused and getting this stuff subtly wrong for the next decade or more. CORS was bad enough, but this looks worse.

On the other hand, processors are completely broken and I genuinely don't see a better alternative.

[arkadiyt]

It doesn't seem so bad to me. Fetch Metadata will be handled by your framework of choice (Rails, Django, etc) & COOP is a single header that can be deployed by the security team in your app or at the edge. TrustedTypes are the only thing that will really cause developer headache I think.

[pseudoramble]

> ... & COOP is a single header that can be deployed by the security team ...

I wish this was my experience with security teams. The teams I've worked with through the years are generally disconnected from any product teams and support a wide-ranging enterprise. So they simply don't have the resources or specific technical or product knowledge to do it. It would be awesome to have a security person on the team directly mitigate issues, understanding the product, and making everyone else more security knowledgeable. I've just never seen it happen though. But I digress.

I agree. These new sets of headers look useful and simple to get going, and even would be useful to deploy today. So it seems worth checking out!