- From: Mike West <notifications@github.com>
- Date: Wed, 11 Sep 2019 01:14:59 -0700
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/url/issues/448@github.com>
As discussed in https://github.com/w3c/webappsec-fetch-metadata/issues/34, we're slowly tightening the various places that evaluate URLs'/Origins' same-siteness to look beyond the host and require scheme matches as well. That is, `http://example.com/` and `https://sub.example.com/` have _hosts_ which are considered "same-site", but many places in the platform have begun considering those contexts "cross-site" as the non-secure scheme creates risk for the secure origin. To quote from that other thread: > @mikewest > In fact, I wonder if we can/should change this more generally for URL's "same site" definition, as it's something we run into in ~all the "same-site" checks we're introducing these days. > > In fact, SameSite cookies might be the only place where we're not doing this kind of check. We made that decision because we wanted people to be able to upgrade their sites to HTTPS piecemeal, starting with their authentication systems, then spreading throughout the site. Perhaps we've reached enough of an inflection point with that migration that we can tighten the restriction generally. > @annevk > I'm supportive. We could have schemeless same site or some such for the variant that only takes hosts. https://fetch.spec.whatwg.org/#cross-origin-resource-policy-check also needs schemeless btw, even though it ends up checking the scheme a bit. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/issues/448
Received on Wednesday, 11 September 2019 08:15:22 UTC