- From: Anne van Kesteren <notifications@github.com>
- Date: Tue, 19 Nov 2019 01:15:05 -0800
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/url/pull/457/review/318879898@github.com>
annevk commented on this pull request. > <p class=warning>Specifications should prefer the <a for=/>origin</a> concept for security -decisions. The notion of "<a for=host>public suffix</a>", "<a for=host>registrable domain</a>", -and "<a>same site</a>" cannot be relied-upon to provide a hard security boundary, as the public -suffix list will diverge from client to client. Specifications which ignore this advice are -encouraged to carefully consider whether URLs' schemes ought to be incorporated into any decision -made based upon whether or not two <a for=/>hosts</a> are <a>same site</a>. HTML's <a>same -origin-domain</a> concept is a reasonable example of this consideration in practice. +decisions. The notion of "<a for=host>public suffix</a>" and "<a for=host>registrable domain</a>" +cannot be relied-upon to provide a hard security boundary, as the public suffix list will diverge +from client to client. Specifications which ignore this advice are encouraged to carefully consider +whether URLs' schemes ought to be incorporated into any decisions made, i.e. whether to use the +<a>same site</a> or <a>schemelessly same site</a> concepts. HTML's <a>same origin-domain</a> concept +is a reasonable example of this consideration in practice. Yeah, let's remove that. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/pull/457#discussion_r347806043
Received on Tuesday, 19 November 2019 09:15:07 UTC