- From: Anne van Kesteren <notifications@github.com>
- Date: Mon, 28 Jul 2025 00:03:46 -0700
- To: w3c/ServiceWorker <ServiceWorker@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <w3c/ServiceWorker/pull/1775/review/3060764496@github.com>
@annevk commented on this pull request.
> @@ -3065,6 +3065,11 @@ spec: storage; urlPrefix: https://storage.spec.whatwg.org/
:: Return |serviceWorker|'s [=service worker/script url=].
: The [=environment settings object/origin=]
:: Return its registering [=/service worker client=]'s [=environment settings object/origin=].
+ : The [=environment settings object/cross site ancestry=]
+ :: Return its registering [=/service worker client=]'s [=environment settings object/cross site ancestry=].
+ <div class="note">
+ Note: If service workers are not partitioned by the [=environment settings object/cross site ancestry=], clients must include logic to use the initial [=/http fetch=]'s [=/request=]'s [=request/client=]'s [=environment settings object/cross site ancestry=] when determining the "<code>SameSite</code>" mode.
I think we should assume it's present. Keying by top-level site is already more or less required to address security vulnerabilities. This goes a little further and addresses additional issues. While addressing these are not the highest priority for all implementers, I believe they do represent a shared goal.
--
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/pull/1775#discussion_r2234974487
You are receiving this because you are subscribed to this thread.
Message ID: <w3c/ServiceWorker/pull/1775/review/3060764496@github.com>
Received on Monday, 28 July 2025 07:03:50 UTC