- From: John Wilander <notifications@github.com>
- Date: Fri, 30 Mar 2018 20:26:33 +0000 (UTC)
- To: whatwg/fetch <fetch@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/fetch/issues/687/377615060@github.com>
Let's discuss the subdomain aspect of this. We'd like servers to express that all pages from the same eTLD+1 are allowed to load the resource. The 2012 proposal as it stands requires the server to list them which is error prone and uses up bytes on the wire. Instead of having a resource on example.com send a response header like this: `From-Origin: cdn1.example.com, cd2.example.com, www.example.com, secure.example.com, example.com` ... it could send something like this: `From-Origin: SamePrimary` ... which would match example.com and any chain of subdomains of example.com. There are at least two pieces of prior art here, none of which seem to fit our needs: - [HSTS includeSubdomains](https://tools.ietf.org/html/rfc6797#page-16) which tells the browser to include subdomains _of the current host_ in the policy. - [SameSite Cookies](https://tools.ietf.org/html/draft-west-first-party-cookies-07#page-8) which imply that the hosts should match. To further complicate things, eTLD+1 has many names: - eTLD+1 - Public Suffix+1 - Primary Domain - High Level Domain - Top Privately-Owned Domain Some naming ideas: - From-Origin : SamePrimary - From-Origin : SamePrimaryDomain - From-Origin : SameTPOD - From-Origin : SameETLD+1 - From-Origin : SameETLDPlus1 - From-Origin : SameETLDPlusOne - From-Origin : SamePublicSuffixPlus1 - From-Origin : SamePublicSuffixPlusOne -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/fetch/issues/687#issuecomment-377615060
Received on Friday, 30 March 2018 20:27:02 UTC