- From: Anne van Kesteren <notifications@github.com>
- Date: Tue, 12 Nov 2019 01:59:54 -0800
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/url/pull/457/review/315413112@github.com>
annevk commented on this pull request. > <p class=warning>Specifications should prefer the <a for=/>origin</a> concept for security -decisions. The notion of "<a for=host>public suffix</a>", "<a for=host>registrable domain</a>", -and "<a>same site</a>" cannot be relied-upon to provide a hard security boundary, as the public -suffix list will diverge from client to client. Specifications which ignore this advice are -encouraged to carefully consider whether URLs' schemes ought to be incorporated into any decision -made based upon whether or not two <a for=/>hosts</a> are <a>same site</a>. HTML's <a>same -origin-domain</a> concept is a reasonable example of this consideration in practice. +decisions. The notion of "<a for=host>public suffix</a>" and "<a for=host>registrable domain</a>" +cannot be relied-upon to provide a hard security boundary, as the public suffix list will diverge +from client to client. Specifications which ignore this advice are encouraged to carefully consider +whether URLs' schemes ought to be incorporated into any decisions made, i.e. whether to use the +<a>same site</a> or <a>schemelessly same site</a> concepts. HTML's <a>same origin-domain</a> concept +is a reasonable example of this consideration in practice. Should we give this an ID and reference it from HTML? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/pull/457#pullrequestreview-315413112
Received on Tuesday, 12 November 2019 09:59:57 UTC