Re: [w3c/ServiceWorker] Match Service Worker Registration should assert same-origin? (#1118) from Chris Palmer on 2017-05-10 (public-webapps-github@w3.org from May 2017)

From: Chris Palmer <notifications@github.com>
Date: Wed, 10 May 2017 11:55:59 -0700
To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/ServiceWorker/issues/1118/300579897@github.com>

Emily and I still think it's necessary to perform a simple check that the origins (not the URLs) are equal. Origin equality is well-defined: are the schemes equal (case-insensitive string comparison), are the hostnames equal (case-insensitive string comparison), and are the ports equal (int16_t equality).

Origin-matching is a crucial security guarantee on the web, and so we don't feel entirely comfortable without a clear statement (in the spec and in the implementation) that an origin equality check is required.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/issues/1118#issuecomment-300579897

Received on Wednesday, 10 May 2017 18:56:31 UTC