Re: [whatwg/url] Opaque hosts: realistic examples and origins? (Issue #690) from Karl on 2022-04-22 (public-webapps-github@w3.org from April 2022)

From: Karl <notifications@github.com>
Date: Fri, 22 Apr 2022 06:08:30 -0700
To: whatwg/url <url@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/url/issues/690/1106497600@github.com>

> Computing new opaque origins from URLs is important for HTML too if I remember correctly. If two nested documents navigate to the same data: URL, they should not end up sharing an origin and I think today that is the result of the URL->origin mapping. Of course, you could envision not relying on a URL->origin mapping here, but instead HTML special casing data: URLs. However, I think it is more generally sound that two such identical URLs do not share an authority. (I.e., I do think this makes sense, contrary to what @karwa said above.)

Just to be clear: I **do** think it makes sense for two nested documents to the same `data:` URL to not share an authority.

The thing that doesn't make sense is that there is a concept of having the "same opaque origin". Opaque origins mean we don't know what the origin is (the URL scheme is not known), so we can't really call them the same as anything. Currently, we have this concept of a 'new' opaque origin, with an identity and security domain established when you compute them.

```swift
// Each call to 'url.origin' returns a 'new' opaque origin.

let url = URL("non-special://somehost/path")
url.origin.isSameOrigin(as: url.origin) // false - i.e. no shared authority, isolated from itself.

// But if we store it in a variable, we create a security domain out of thin air
// at this point in the code. The opaque origin actually compares as same-origin
// with something now!

let savedOrigin = url.origin
savedOrigin.isSameOrigin(as: url.origin) // false, as expected.

savedOrigin.isSameOrigin(as: savedOrigin) // true!! when did we get an authority?
```

This is a consequence of the definitions in the HTML and URL Standards.

What I think should happen instead is that, when a nested document navigates to a `data:` URL, the HTML standard, rather than saying to return a "new opaque origin", would have 2 choices:

- Explicitly say to generate a unique token to serve as the origin for that document (in lieu of one from the URL), if there is some meaningful identity to assign to it. This would match the current behaviour of opaque origins.
- Leave the origin unspecified, for maximum isolation. Considering the example above, this would fix the issue and make `savedOrigin.isSameOrigin(as: savedOrigin)` return `false`, like a floating point NaN returns `x == x` as `false`.

The former would be a sort-of "HTML extension" so to speak, defining contextually relevant zones of trust based on its task of expressing rich, interlinked documents. Those zones of trust based on generated unique identifiers may not be meaningful in other contexts.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/url/issues/690#issuecomment-1106497600
You are receiving this because you are subscribed to this thread.

Message ID: <whatwg/url/issues/690/1106497600@github.com>

Received on Friday, 22 April 2022 13:08:42 UTC