- From: Domenic Denicola <d@domenic.me>
- Date: Wed, 20 Nov 2019 17:50:12 +0000
- To: "'public-webappsec@w3.org'" <public-webappsec@w3.org>
- CC: Anne van Kesteren <annevk@annevk.nl>
Hi folks, Following a suggestion from Mike West [1], and some subsequent discussion, we've changed the definition of "same site" in [2] and [3]. Things to be aware of: * "Same site" now takes into account schemes. Use "schemelessly same site" if you don't care about schemes. * "Same site" and "schemelessly same site" operate on origins now. (Previously "same site" operated on hosts.) * "Same site" and "schemelessly same site" live in HTML now. (Previously they lived in URL.) Direct link to the new definitions: https://html.spec.whatwg.org/multipage/origin.html#schemelessly-same-site Probably a number of WebAppsSec specs will need updating for this. You can see one such spec update, for Fetch, in [4]. Sorry for the churn, and let me know or file an issue on HTML if you have any concerns! -Domenic [1]: https://github.com/whatwg/url/issues/448 [2]: https://github.com/whatwg/html/pull/5076 [3]: https://github.com/whatwg/url/pull/457 [4]: https://github.com/whatwg/fetch/commit/493c02127f49d6e9a4df5d56e2fcfa7fbaff48b2
Received on Wednesday, 20 November 2019 17:50:18 UTC