- From: Domenic Denicola <notifications@github.com>
- Date: Mon, 18 Nov 2019 12:14:51 -0800
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/url/pull/457/review/318601111@github.com>
domenic commented on this pull request. > <p class=warning>Specifications should prefer the <a for=/>origin</a> concept for security -decisions. The notion of "<a for=host>public suffix</a>", "<a for=host>registrable domain</a>", -and "<a>same site</a>" cannot be relied-upon to provide a hard security boundary, as the public -suffix list will diverge from client to client. Specifications which ignore this advice are -encouraged to carefully consider whether URLs' schemes ought to be incorporated into any decision -made based upon whether or not two <a for=/>hosts</a> are <a>same site</a>. HTML's <a>same -origin-domain</a> concept is a reasonable example of this consideration in practice. +decisions. The notion of "<a for=host>public suffix</a>" and "<a for=host>registrable domain</a>" +cannot be relied-upon to provide a hard security boundary, as the public suffix list will diverge +from client to client. Specifications which ignore this advice are encouraged to carefully consider +whether URLs' schemes ought to be incorporated into any decisions made, i.e. whether to use the +<a>same site</a> or <a>schemelessly same site</a> concepts. HTML's <a>same origin-domain</a> concept +is a reasonable example of this consideration in practice. Added an ID; will update HTML pull request now. I was also thinking of removing the pointer to HTML's same-origin domain concept since I'm not sure I'd call it "reasonable". WDYT? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/pull/457#discussion_r347587487
Received on Monday, 18 November 2019 20:14:54 UTC