Re: [w3c/ServiceWorker] Add new environment settings object field "cross site ancestry" for SameSite cookies work (PR #1775)

@yoshisatoyanagisawa commented on this pull request.



> @@ -3065,6 +3065,8 @@ spec: storage; urlPrefix: https://storage.spec.whatwg.org/
               :: Return |serviceWorker|'s [=service worker/script url=].
               : The [=environment settings object/origin=]
               :: Return its registering [=/service worker client=]'s [=environment settings object/origin=].
+              : The [=environment settings object/cross site ancestry=]
+              :: Return its registering [=/service worker client=]'s [=environment settings object/cross site ancestry=].

I assume that `cross site ancestry` is used for noticing 3rd party site ancestry to avoid unexpected cookie access there.  Then, I wonder if it is valid to use the registration time client for decision making.
Assuming that the registration has been done by Origin A, but actual usage is fetching from ServiceWorker-controlled iframe Origin A inside Origin B.  For that case, I guess fetching inside iframe Origin A can be captured by ServiceWorker registered by the Origin A (not iframe's) if the storage partitioning is disabled.  Then, the iframe itself might be `cross site ancestry` == true but the ServiceWorker intercepting the request might be `cross site ancestry` == false.  Is it intended behavior?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/pull/1775#pullrequestreview-2896000233
You are receiving this because you are subscribed to this thread.

Message ID: <w3c/ServiceWorker/pull/1775/review/2896000233@github.com>

Received on Wednesday, 4 June 2025 09:31:48 UTC