[whatwg/url] Tighten 'same site' checks to include 'scheme'. (#449) from Mike West on 2019-09-13 (public-webapps-github@w3.org from September 2019)

From: Mike West <notifications@github.com>
Date: Fri, 13 Sep 2019 03:14:35 -0700
To: whatwg/url <url@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/url/pull/449@github.com>

This patch introduces &#39;schemelessly same site&#39; on both &#39;host&#39; and &#39;URL&#39;,
moves &#39;same site&#39; to URL, and tightens it by requiring a scheme match in
addition to a registrable domain match. This, hopefully, will create
stronger security boundaries in places where we perform &quot;same site&quot;
checks, while giving us the flexibility to grandparent in existing
behavior we decide to keep.

Partially addresses whatwg/url#448.
You can view, comment on, or merge this pull request online at:

  https://github.com/whatwg/url/pull/449

-- Commit Summary --

  * Tighten &#39;same site&#39; checks to include &#39;scheme&#39;.

-- File Changes --

    M url.bs (115)

-- Patch Links --

https://github.com/whatwg/url/pull/449.patch
https://github.com/whatwg/url/pull/449.diff

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/pull/449

Received on Friday, 13 September 2019 10:14:56 UTC