(Apologies, Alex; you're getting this twice because I replied instead of reply-all'd.)
Daniel: Thanks for correcting my link to the explainer. :) I've updated chromestatus accordingly. Yoav: I've requested reviews for the missing flags. Alex: We discussed this in the TAG review as well, https://github.com/w3ctag/design-reviews/issues/1130#issuecomment-3229508992 has some potentially helpful thoughts. TL;DR: the core thing that URL can't reasonably handle is an opaque origin. These should be same-origin with themselves, and cross-origin to every other opaque origin. That creates some sharp edges, particularly visible around navigations within `<iframe sandbox>`. `Origin` allows representation of those origins in a way that allows meaningful comparison. To a potential followup question: we do want to explain "origin of a URL", but rather than adding an `.originObject` getter to `URL`, we're running with the `Origin.from(any)` pattern introduced(?) in `Observable`. We could explore adding the functionality to URL as well, if developers tell us that would be helpful? -mike On Wed, Nov 19, 2025 at 5:35 PM Alex Russell <[email protected]> wrote: > Thanks for the explainer link, Daniel. > > Mike: > > Saw a few considered alternatives in the explainer, which is great. Have > you considered how this might be added to the URL object instead? Did you > reject that for a reason I couldn't see? > > Best, > > Alex > > On Wednesday, November 19, 2025 at 8:16:27 AM UTC-8 Yoav Weiss wrote: > >> Can you flip all the review bits in chromestatus.com? (enterprise, >> debuggability and testing are missing) >> >> On Wed, Nov 19, 2025 at 4:20 PM Daniel Bratell <[email protected]> >> wrote: >> >>> Better explainer than the spec: >>> >>> https://github.com/mikewest/origin-api/blob/main/README.md >>> >>> /Daniel >>> On 2025-11-19 15:46, Chromestatus wrote: >>> >>> *Contact emails* >>> [email protected] >>> >>> *Explainer* >>> https://mikewest.github.io/origin-api >>> >>> *Specification* >>> https://github.com/whatwg/html/pull/11846 >>> >>> *Summary* >>> The origin is a fundamental component of the web’s implementation, >>> essential to both the security and privacy boundaries which user agents >>> maintain. The concept is well-defined between HTML and URL, along with >>> widely-used adjacent concepts like "site". Origins, however, are not >>> directly exposed to web developers. Though there are various origin getters >>> on various objects, each of those returns the ASCII serialization of an >>> origin, not the origin itself. This has a few negative implications. >>> Practically, developers attempting to do same-origin or same-site >>> comparisons when handling serialized origins often get things wrong in ways >>> that lead to vulnerabilities. Philosophically, it seems like a missing >>> security primitive that developers struggle to polyfill accurately. We can >>> address this gap in the platform by introducing an Origin object that >>> encapsulates the origin concept, and provides helpful methods for >>> comparison, serialization, parsing, and etc. >>> >>> *Blink component* >>> Blink>SecurityFeature >>> <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%22> >>> >>> *Web Feature ID* >>> Missing feature >>> >>> *Motivation* >>> *No information provided* >>> >>> *Initial public proposal* >>> https://github.com/whatwg/html/issues/11534 >>> >>> *TAG review* >>> https://github.com/w3ctag/design-reviews/issues/1130 >>> >>> *TAG review status* >>> Issues addressed >>> >>> *Risks* >>> >>> >>> *Interoperability and Compatibility* >>> *No information provided* >>> >>> *Gecko*: No signal ( >>> https://github.com/mozilla/standards-positions/issues/1280) >>> >>> *WebKit*: No signal ( >>> https://github.com/WebKit/standards-positions/issues/538) Tending >>> towards positive. >>> >>> *Web developers*: No signals >>> >>> *Other signals*: >>> >>> *Security* >>> Ideally, this will resolve security risks rather than creating them. >>> That said, it is the first time we're exposing the same-site concept >>> directly, and if developers aren't careful about how they do those >>> comparisons (especially between browsers or browser versions with differing >>> versions of the PSL), there's some risk that they'd cache an old decision >>> that doesn't apply in the current version of the browser. >>> >>> *WebView application risks* >>> >>> Does this intent deprecate or change behavior of existing APIs, such >>> that it has potentially high risk for Android WebView-based applications? >>> *No information provided* >>> >>> >>> *Debuggability* >>> No special support; this is an API debuggable via devtools like any >>> other. >>> >>> *Will this feature be supported on all six Blink platforms (Windows, >>> Mac, Linux, ChromeOS, Android, and Android WebView)?* >>> Yes >>> >>> *Is this feature fully tested by web-platform-tests >>> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?* >>> Yes >>> >>> https://wpt.fyi/results/html/browsers/origin/?label=master&label=experimental&aligned >>> >>> *Flag name on about://flags* >>> *No information provided* >>> >>> *Finch feature name* >>> OriginAPI >>> >>> *Rollout plan* >>> Will ship enabled for all users >>> >>> *Requires code in //chrome?* >>> False >>> >>> *Tracking bug* >>> https://issues.chromium.org/issues/434131026 >>> >>> *Estimated milestones* >>> Shipping on desktop 144 >>> Shipping on Android 144 >>> Shipping on WebView 144 >>> >>> *Anticipated spec changes* >>> >>> Open questions about a feature may be a source of future web compat or >>> interop issues. Please list open issues (e.g. links to known github issues >>> in the project for the feature specification) whose resolution may >>> introduce web compat/interop risk (e.g., changing to naming or structure of >>> the API in a non-backward-compatible way). >>> *No information provided* >>> >>> *Link to entry on the Chrome Platform Status* >>> https://chromestatus.com/feature/5095541277065216?gate=6604674545352704 >>> >>> This intent message was generated by Chrome Platform Status >>> <https://chromestatus.com>. >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/691dd83d.050a0220.2a427a.045f.GAE%40google.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/691dd83d.050a0220.2a427a.045f.GAE%40google.com?utm_medium=email&utm_source=footer> >>> . >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "blink-dev" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> >> To view this discussion visit >>> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4818ba16-efe4-45ce-ad90-e027b62bbce8%40gmail.com >>> <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4818ba16-efe4-45ce-ad90-e027b62bbce8%40gmail.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAAoq_usYF_NSPmnx1bJHfw%3DEqfffzb83aY83yJYdk%2BOBOkyKVA%40mail.gmail.com.
