Re: [whatwg/fetch] From-Origin (#687)

I want the header to be simple. Restricting ports is adding complexity and potential breakage to the same-site directive. For me, same-site means “It’s your domain. You are in control of its subdomains, schemes, and ports. You may have an unusual setup with your domain and that’s OK. This header will restrict to your domain but not break your custom setup.”

I’ve seen non-default ports used in intranets and I’ve even built a national healthcare system where we had to switch to 8443 for HTTPS to avoid having to give the cert’s private key to the firewall operators. HTTPS over 443 was on their list of traffic they had to monitor whereas our super sensitive patient information should absolutely not be monitored.

The same-site directive is not supposed to save you from not having control over your subdomains. A rogue evil.example.com server could most probably steal cookies through requests anyway. Instead, we should maximize the chance of same-site working so that as many orgs as possible can adopt it. (That’s also why I wanted it to work for all resource types but I lost that battle.)

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/687#issuecomment-393185500

Received on Wednesday, 30 May 2018 14:34:08 UTC