- From: Domenic Denicola <notifications@github.com>
- Date: Thu, 21 Apr 2022 15:43:11 -0700
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/url/issues/690/1105830463@github.com>
> I wish I could give some citations, but it's been a while and I can't find everything right now. Basically, the key impression I was left with is that an origin is not a property of a URL (like, say, the scheme, path, and query are); it is an abstract domain of trust, which can sometimes be computed from a URL based on what you know about how that URL will be processed. I agree with this. The problem is that computing an origin from a URL is key for Fetch to determine whether a given fetch will be cross-origin or same-origin. So that computation-from-URL mapping needs to be defined somewhere that can be shared by at least Fetch and HTML, and URL seems like the place it's ended up. > It has this really weird property that if you calculate a URL's origin, that particular local variable in code will compare as same-origin with itself, but calculating the URL's origin again produces a different opaque origin. It doesn't really make any sense - if an origin has to do with a resource's security context, why does it matter when I calculate it? I think you're right, this is weird. In practice I think opaque origins computed from URLs are just not used on the web platform, or at least, not in a context where they're ever expected to return true in an equality comparison. However, opaque origins for other objects (e.g. `Document`s) often do need to compare equal to themselves. I think the current model works fine there, but perhaps it's just obvious to me that minting a new opaque origin and associating it with a `Document` is minting a new security context. --- To try to bring things back to opaque hosts, the problem is we don't really want to create a new origin-like abstraction. We want to create a new scheme which uses opaque hosts, but with origin computation that makes everything under `isolated-app://my-app-id/` same-origin for purposes like HTML (including cross-origin object checks) and Fetch (including CORS). I guess this issue is complaining that we'd have to change origin computation when we did so, whereas we were hoping we could just use the nice "unknown scheme -> opaque host" pathway that's in the URL Standard already. But perhaps updating origin computation is unavoidable and a fine price to pay. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/issues/690#issuecomment-1105830463 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/url/issues/690/1105830463@github.com>
Received on Thursday, 21 April 2022 22:43:23 UTC