Skip to content

Use same origin checks instead of same origin-domain ones#236

Merged
arskama merged 1 commit intow3c:mainfrom
arskama:sameOrigin
Oct 2, 2023
Merged

Use same origin checks instead of same origin-domain ones#236
arskama merged 1 commit intow3c:mainfrom
arskama:sameOrigin

Conversation

@arskama
Copy link
Contributor

@arskama arskama commented Sep 28, 2023
edited by pr-preview bot
Loading

Fixes #187

Preview | Diff

@arskama arskama requested review from kenchris and rakuco September 28, 2023 13:56
@arskama
Copy link
Contributor Author

arskama commented Sep 28, 2023

Please add reviewers if you think we might need.

kenchris
kenchris approved these changes Sep 28, 2023
View reviewed changes
Copy link
Contributor

@kenchris kenchris left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would have been good with a more descriptive commit message

@arskama
Copy link
Contributor Author

arskama commented Sep 29, 2023

Would have been good with a more descriptive commit message

I ll change it when merging

@arskama
Copy link
Contributor Author

arskama commented Sep 29, 2023
edited
Loading

@kenchris How about:

"
From different sources [1][2][3], it looks like same origin-domain is not anymore recommended.
There is no obvious reason to keep same origin-domain in compute pressure specifications.
Instead same origin seems to be a better security check.

[1] https://html.spec.whatwg.org/multipage/browsers.html#relaxing-the-same-origin-restriction
[2] https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/platform/weborigin/security_origin.h;l=313;drc=933be5e5db24585647edcd7f507ba2d48c5757c8
[3] https://dontcallmedom.github.io/webdex/s.html
"

rakuco
rakuco approved these changes Sep 29, 2023
View reviewed changes
Copy link
Member

@rakuco rakuco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm too

In addition to improving the PR/commit message, please use a better title too: "fix A to B" is not a very usual construct. How about something like "Use same origin checks instead of same origin-domain ones"?

@arskama
Use same origin checks instead of same origin-domain ones
218a80b 
From different sources [1][2][3], it looks like same origin-domain is not anymore recommended.
There is no obvious reason to keep same origin-domain in compute pressure specifications.
Instead same origin seems to be a better security check.

[1] https://html.spec.whatwg.org/multipage/browsers.html#relaxing-the-same-origin-restriction
[2] https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/platform/weborigin/security_origin.h;l=313;drc=933be5e5db24585647edcd7f507ba2d48c5757c8
[3] https://dontcallmedom.github.io/webdex/s.html

Fixes w3c#187
@arskama arskama changed the title Fix same origin-domain to same origin Use same origin checks instead of same origin-domain ones Oct 2, 2023
@arskama arskama merged commit 34af5b1 into w3c:main Oct 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kenchris kenchris kenchris approved these changes

+1 more reviewer

@rakuco rakuco rakuco approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Does the privacy test need a same origin-domain or a same origin check?

3 participants

@arskama @rakuco @kenchris