W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2019

PSA: "same site" definition has changed and moved

From: Domenic Denicola <d@domenic.me>
Date: Wed, 20 Nov 2019 17:50:12 +0000
To: "'public-webappsec@w3.org'" <public-webappsec@w3.org>
CC: Anne van Kesteren <annevk@annevk.nl>
Message-ID: <CH2PR13MB3432B2D99D45F0DB11C37E39DF4F0@CH2PR13MB3432.namprd13.prod.outlook.com>
Hi folks,

Following a suggestion from Mike West [1], and some subsequent discussion, we've changed the definition of "same site" in [2] and [3]. Things to be aware of:

* "Same site" now takes into account schemes. Use "schemelessly same site" if you don't care about schemes.
* "Same site" and "schemelessly same site" operate on origins now. (Previously "same site" operated on hosts.)
* "Same site" and "schemelessly same site" live in HTML now. (Previously they lived in URL.)

Direct link to the new definitions: https://html.spec.whatwg.org/multipage/origin.html#schemelessly-same-site

Probably a number of WebAppsSec specs will need updating for this. You can see one such spec update, for Fetch, in [4]. Sorry for the churn, and let me know or file an issue on HTML if you have any concerns!

-Domenic

[1]: https://github.com/whatwg/url/issues/448
[2]: https://github.com/whatwg/html/pull/5076
[3]: https://github.com/whatwg/url/pull/457
[4]: https://github.com/whatwg/fetch/commit/493c02127f49d6e9a4df5d56e2fcfa7fbaff48b2

Received on Wednesday, 20 November 2019 17:50:18 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:55:09 UTC