Re: questions on same-site cookies algorithm (draft-west-first-party-cookies)

Thanks for the feedback, Jeff!

On Fri, Jun 17, 2016 at 8:51 PM, <jeff.hodges@kingsmountain.com> wrote:

>
> > 2.1.1.  Document-based requests
> >    ...
> >    Given a Document ("document"), the following algorithm returns its
> >    "site for cookies" (either a registrable domain, or the empty
> >    string):
> >
> >    1.  Let "top-document" be the active document in "document"'s
> >        browsing context's top-level browsing context.
> >
> >    2.  Let "top-origin" be the origin of "top-document"'s URI if "top-
> >        document"'s sandboxed origin browsing context flag is set, and
> >        "top-document"'s origin otherwise.
>
> these..
>
>   https://html.spec.whatwg.org/#origin
>   https://html.spec.whatwg.org/#concept-origin-opaque
>
> ..indicate that a document, that has its `sandboxed origin browsing
> context flag` set, has only a `unique opaque origin` whose ASCII
> serialization is `"null"`, and does not have an associated URI
> (necessarily?)
>

All documents have a URL distinct from their origin:
https://dom.spec.whatwg.org/#concept-document-url. The URL might be
something like `about:blank`, in which case this algorithm would still
result in an opaque origin as the document's site for cookies, but that
seems like enough of an edge case to not worry about.

(An alternative would be to simplify the algorithm by treating sandboxed
documents as completely distinct from the origin from which they were
served. That's not what Safari, Chrome, or Firefox do today with regard to
so-called "third-party cookie blocking", but it's a reasonable alternative
proposal.)

-mike

Received on Tuesday, 21 June 2016 11:36:41 UTC