- From: Anne van Kesteren <notifications@github.com>
- Date: Mon, 11 Feb 2019 01:31:58 -0800
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
Received on Monday, 11 February 2019 09:32:19 UTC
annevk commented on this pull request. > @@ -382,13 +382,13 @@ obtain <var>host</var>'s <a for=host>registrable domain</a>, run these steps: </ul> </div> -<p class=warning>Specifications should avoid depending on "<a for=host>public suffix</a>", -"<a for=host>registrable domain</a>", and "<a>same site</a>". The public suffix list will diverge -from client to client, and cannot be relied-upon to provide a hard security boundary. Specifications -which ignore this advice are encouraged to carefully consider whether URLs' schemes ought to be -incorporated into any decision made based upon whether or not two <a for=/>hosts</a> are -<a>same site</a>. HTML's <a>same origin-domain</a> concept is a reasonable example of this -consideration in practice. +<p class=warning>Specifications should prefer the <a for=/>origin</a> concept for security +decisions. The notion of "<a for=host>public suffix</a>","<a for=host>registrable domain</a>", space after the comma -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/pull/430#pullrequestreview-202007656
Received on Monday, 11 February 2019 09:32:19 UTC