I don't think this is a useful comparison. This is Google's bug with Google's software vs. Project Zero's discoveries are (as I understand them) typically in software used by multiple people and thus there's a higher urgency to fix them.
GitHub Pages also doesn’t (yet) support custom headers and you can add them with Cf via Workers. So if you’re concerned about the results of securityheaders.io, for example, you can add those in.
1Password's cloud offering architecture has a few important distinctions from other offerings. Namely the use of a password authenticated key exchange (PAKE) and a "Secret Key" that is never transmitted to 1Password servers. [1, 2] If you ultimately trust the app for local vaults, there's a case for extending that trust to the cloud offering.
> Web3 is by far the easiest way to provide auth to a web app right now
Easiest by what measure? As I understand it, few browsers (read: only one or two) have built in wallets and outside of that the UX for this auth isn’t great. It’s hard to see how this is better/easier to use than existing OIDC/"Sign In With X" solutions.
Tho personally, beyond GitHub for dev related sites, I won’t use them.
If anything it enables “websites” to be simpler, smaller.
A UI atop a single function.
Without the bloat. Without the “we must do enough to show value to get users to sign up”.
I just auth, use it, and move on with my life.
Sometimes there’s a fee per use. Sometimes that value is exchanged somewhere else in the transaction. But either way, I got what I needed and I’m done.
And what does this revocation accomplish? The app still has your unique address. This revocation is simply "don't log me in next time." You still need to use the app to delete any data, if that's even possible (highly-dependent on the app). This is no different than going to your GitHub account (in the parent comment's example and revoking https://docs.github.com/en/authentication/keeping-your-accou...).
Only if the web3 app itself is entirely decentralized, doesn't implement any moderation, and never votes to change the above. I suspect they will quickly need moderation, and therefore it wont matter if your identity is irrevocable as the platform itself could easily block it.
I do see the value in being able to bring an identity around and store it in a blockchain, but... extreme fragmentation is a bummer.
Small plug for LavaMoat (https://github.com/LavaMoat/LavaMoat) which includes tools to more granularly disable dependency lifecycle scripts via @lavamoat/allow-scripts.
Ben Felix, a popular financial YouTuber, made many a video about the math:
https://youtube.com/watch?v=j4H9LL7A-nQ https://youtube.com/watch?v=lBG-g1CKfgs