Re: [whatwg/url] Let HTML handle the "same site" definition (#457)

annevk commented on this pull request.



>  <p class=warning>Specifications should prefer the <a for=/>origin</a> concept for security
-decisions. The notion of "<a for=host>public suffix</a>", "<a for=host>registrable domain</a>",
-and "<a>same site</a>" cannot be relied-upon to provide a hard security boundary, as the public
-suffix list will diverge from client to client. Specifications which ignore this advice are
-encouraged to carefully consider whether URLs' schemes ought to be incorporated into any decision
-made based upon whether or not two <a for=/>hosts</a> are <a>same site</a>. HTML's <a>same
-origin-domain</a> concept is a reasonable example of this consideration in practice.
+decisions. The notion of "<a for=host>public suffix</a>" and "<a for=host>registrable domain</a>"
+cannot be relied-upon to provide a hard security boundary, as the public suffix list will diverge
+from client to client. Specifications which ignore this advice are encouraged to carefully consider
+whether URLs' schemes ought to be incorporated into any decisions made, i.e. whether to use the
+<a>same site</a> or <a>schemelessly same site</a> concepts. HTML's <a>same origin-domain</a> concept
+is a reasonable example of this consideration in practice.

The point is that we don't really want people to use (schemelessly) same site if they can avoid it in favor of origins. And I'd like HTML to also suggest that to some extent.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/pull/457#discussion_r345290859

Received on Tuesday, 12 November 2019 15:57:47 UTC