Attacks on credentialed cross-site resources that aren't fully mitigated through CORS

[johannhof]

This proposal uses CORS as a primary measure to protect embedded subresources from being attacked through credentialed requests (primarily cross-site leaks) in browsers that have cross-site cookies blocked. Because blocking cross-site cookies isn't the default in all browsers, developers currently have to mitigate these attacks through other means, but it's reasonable to expect a shift in the platform to improve security as much as possible and also to come with a mindset shift for developers that will get less diligent about edge cases like rSAFor grants. This is also the motivation for the existing CORS requirement.

As such, it seems reasonable to consider attacks that aren't (fully) mitigated through requiring CORS, such as CSRF or response-time leaks on CORS-enabled requests (@arturjanc mentioned this to me and I hope I'm remembering it right). Similar to #29, it would be good to enable a mechanism that allows for better opt-in by the third party for enabling rSAFor on the first party.

cc @arturjanc @annevk