Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider changing CORP to use same-site instead of schemelessly same-site #969

Open
domenic opened this issue Nov 19, 2019 · 1 comment
Open

Consider changing CORP to use same-site instead of schemelessly same-site #969

domenic opened this issue Nov 19, 2019 · 1 comment
Labels
security/privacy There are security or privacy implications topic: same-origin policy

Comments

@domenic
Copy link
Member

domenic commented Nov 19, 2019

This would entail replacing https://fetch.spec.whatwg.org/#cross-origin-resource-policy-check step 5 with a simpler

 <li><p>If <var>request</var>'s <a for=request>origin</a> is <a>same site</a> with
 <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>, then return
 <b>allowed</b>.

Some background in #965 (comment) and #687 (comment).
@annevk annevk added security/privacy There are security or privacy implications topic: same-origin policy labels Nov 20, 2019
@annevk
Copy link
Member

annevk commented Nov 20, 2019

I think the moment "Mixed Content 2" becomes a thing making this change will be editorial, so waiting for that and then making the change seems fine to me.

cc @youennf @whatwg/security

domenic added a commit that referenced this issue Nov 20, 2019
@domenic
Editorial: use origin-based "schemelessly same site"
493c021 
Follows whatwg/html#5076. See
#969 for a potential normative
follow-up to change this to use "same site".
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security/privacy There are security or privacy implications topic: same-origin policy
Milestone
No milestone
Development

No branches or pull requests
2 participants
@domenic @annevk