Contact emails [email protected]
Explainer https://mikewest.github.io/origin-api Specification https://github.com/whatwg/html/pull/11846 Summary The origin is a fundamental component of the web's implementation, essential to both the security and privacy boundaries which user agents maintain. The concept is well-defined between HTML and URL, along with widely-used adjacent concepts like "site". Origins, however, are not directly exposed to web developers. Though there are various origin getters on various objects, each of those returns the ASCII serialization of an origin, not the origin itself. This has a few negative implications. Practically, developers attempting to do same-origin or same-site comparisons when handling serialized origins often get things wrong in ways that lead to vulnerabilities. Philosophically, it seems like a missing security primitive that developers struggle to polyfill accurately. We can address this gap in the platform by introducing an Origin object that encapsulates the origin concept, and provides helpful methods for comparison, serialization, parsing, and etc. Blink component Blink>SecurityFeature Web Feature ID Missing feature Motivation No information provided Initial public proposal https://github.com/whatwg/html/issues/11534 TAG review https://github.com/w3ctag/design-reviews/issues/1130 TAG review status Issues addressed Risks Interoperability and Compatibility No information provided Gecko: No signal (https://github.com/mozilla/standards-positions/issues/1280) WebKit: No signal (https://github.com/WebKit/standards-positions/issues/538) Tending towards positive. Web developers: No signals Other signals: Security Ideally, this will resolve security risks rather than creating them. That said, it is the first time we're exposing the same-site concept directly, and if developers aren't careful about how they do those comparisons (especially between browsers or browser versions with differing versions of the PSL), there's some risk that they'd cache an old decision that doesn't apply in the current version of the browser. WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? No information provided Debuggability No special support; this is an API debuggable via devtools like any other. Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)? Yes Is this feature fully tested by web-platform-tests? Yes https://wpt.fyi/results/html/browsers/origin/?label=master&label=experimental&aligned Flag name on about://flags No information provided Finch feature name OriginAPI Rollout plan Will ship enabled for all users Requires code in //chrome? False Tracking bug https://issues.chromium.org/issues/434131026 Estimated milestones Shipping on desktop 144 Shipping on Android 144 Shipping on WebView 144 Anticipated spec changes Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (eg links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (eg, changing to naming or structure of the API in a non-backward-compatible way). No information provided Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5095541277065216?gate=6604674545352704 This intent message was generated by Chrome Platform Status. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/691dd83d.050a0220.2a427a.045f.GAE%40google.com.
