- From: Karl <notifications@github.com>
- Date: Thu, 21 Apr 2022 16:23:00 -0700
- To: whatwg/url <url@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <whatwg/url/issues/690/1105850533@github.com>
> To try to bring things back to opaque hosts, the problem is we don't really want to create a new origin-like abstraction. We want to create a new scheme which uses opaque hosts, but with origin computation that makes everything under isolated-app://my-app-id/ same-origin for purposes like HTML (including cross-origin object checks) and Fetch (including CORS). You could do that; you just need to figure out a way to plug-in to HTML and Fetch's application-specific security context calculation. Basically, I think the model should be (or really, de-facto already is): 1 - Check to see if the scheme is known to the standard. Yes? -> Tuple origin. No? Continue. 2 - Application-defined heuristics to try establish a security context, perhaps calling registered callbacks, reading a manifest or configuration file, or just generating a unique ID (as HTML does). If it can establish a context -> Custom origin. Nothing? Continue. 3 - For everything that doesn't fit within an island of trust, you have to assume maximum isolation. One other thing you would have to consider: opaque hosts are not interpreted at the same level that HTTP hosts are, so they wouldn't get things like percent-decoding, IDNA mappings, Unicode normalization, or normalized IPv4 addresses. This would affect equality operations and questions of same-origin, but maybe it's okay to opt-out of those and require literal hostname equivalence. -- Reply to this email directly or view it on GitHub: https://github.com/whatwg/url/issues/690#issuecomment-1105850533 You are receiving this because you are subscribed to this thread. Message ID: <whatwg/url/issues/690/1105850533@github.com>
Received on Thursday, 21 April 2022 23:23:12 UTC