COEP still doesn't check for HTTPS

[zcorpan]

https://html.spec.whatwg.org/commit-snapshots/0f2615317684a837150f5fc76b216a66f91427d9/#the-headers-2

To obtain an embedder policy from a response response:​

In #5164 I noted that COOP required a secure context while COEP did not. That issue was then merged into #4930 and there were some changes to "HTTPS state", but as far as I can tell there's nothing in the spec that checks for HTTPS for COEP currently.

Opening this issue per discussion with @annevk on IRC.

[annevk]

cc @ArthurSonzogni @yutakahirano

[yutakahirano]

Note: We have a test: https://wpt.fyi/results/html/cross-origin-embedder-policy/no-secure-context.html

Given HTTPS state is removed, we need to check only reservedClient (== top level URL), right?

[annevk]

Yeah, if the top-level environment is a secure context, nested ones will be too.

I think we could make environment a new argument to "obtain an embedder policy", but perhaps this is not great for "check a navigation response's adherence to its embedder policy"? Though in that case it only matters if the parent is a secure context. Perhaps some slight restructuring is in order.

[yutakahirano]

The fix is available at #6336.