Re: Formalizing the HTTP State Tokens proposal. from Kari Hurtta on 2019-04-01 (ietf-http-wg@w3.org from April to June 2019)

From: Kari Hurtta <hurtta-ietf@elmme-mailer.org>
Date: Mon, 1 Apr 2019 21:08:56 +0300 (EEST)
To: HTTP Working Group <ietf-http-wg@w3.org>
CC: Kari Hurtta <hurtta-ietf@elmme-mailer.org>, Mike West <mkwst@google.com>
Message-Id: <20190401180903.7BE30325D@welho-filter3.welho.com>

3.2.  Requests and Responses
https://tools.ietf.org/html/draft-west-http-state-tokens-00#section-3.2

|   This document relies upon the definitions of "request" and "response"
|   found in [Fetch].
|
|   A request's delivery scope can be obtained as follows:
|
|   1.  Let "request-origin" be the request's "origin", and "target-
|       origin" be the request's "URL"'s "origin".
|
|   2.  If the request was generated by the user agent as a response to
|       direct user interaction with the user agent (e.g. the user typed
|       an address into the agent's address bar, clicked a bookmark, or
|       etc.), return "same-origin".
|
|   3.  If "request-origin" is same-origin with "target-origin", return
|       "same-origin".
|
|   4.  If "request-origin"'s registrable domain is the same as "target-
|       origin"'s registrable domain, return "same-site".
|
|   5.  Return "cross-site".


Is delivery=same-site intended to cause Sec-Http-State request field
to be send about same requests than Cookies with SameSite attribute?

SameSite seems use definition "site for cookies" for that. How that
compare to "request-origin" ?

5.2.  "Same-site" and "cross-site" Requests
https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.2

|   2.  Let "site" be "request"'s client's "site for cookies" (as defined
|       in the following sections).
|
|   3.  Let "target" be the registered domain of "request"'s current url.
|
|   4.  If "site" is an exact match for "target", return "same-site".

5.2.1.  Document-based requests
https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.2.1

|   For a document displayed in a top-level browsing context, we can stop
|   here: the document's "site for cookies" is the top-level site.

 (and so on)


I failed interpret how Fetch defines request's "origin"

https://fetch.spec.whatwg.org/#concept-request-origin

https://html.spec.whatwg.org/multipage/origin.html#concept-origin


Specially nested browsing contexts (iframes and so on).


/ Kari Hurtta

Received on Monday, 1 April 2019 18:09:29 UTC