Re: [whatwg/fetch] From-Origin (#687)

It makes sense to me that same-site would be agnostic to ports, i.e. `http://foo.example.org:1234` would be same-site to `http://bar.example.org:80`. 

However, it would be a problem to also ignore schemes because we very likely *don't* want `http://foo.example.org:1234` to be same-site with `https://bar.example.org`. Otherwise, the header would offer no protection against attacks if the user is (or ever was) on a malicious network which injects a cached document over HTTP to attack unrelated HTTPS-based same-site applications.

My guess is that if this mechanism doesn't attempt to protect from such network-level attacks, it might reduce its appeal to developers because their sensitive applications hosted over HTTPS would no longer be guaranteed confidentiality. Also note that supporting origin values would be an easy solution to this problem because developers who have mixed content which would be blocked under the stricter logic could temporarily allow it to load by adding a corresponding `http:` entry in their headers.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/issues/687#issuecomment-393214217

Received on Wednesday, 30 May 2018 15:51:31 UTC