Friendly, post-holiday ping. :) If there's additional information I can provide, I'd be happy to.
-mike On Thursday, November 20, 2025 at 5:41:06 PM UTC+1 Mike West wrote: (Apologies, Alex; you're getting this twice because I replied instead of reply-all'd.) Daniel: Thanks for correcting my link to the explainer. :) I've updated chromestatus accordingly. Yoav: I've requested reviews for the missing flags. Alex: We discussed this in the TAG review as well, https://github.com/ w3ctag/design-reviews/issues/1130#issuecomment-3229508992 has some potentially helpful thoughts. TL;DR: the core thing that URL can't reasonably handle is an opaque origin. These should be same-origin with themselves, and cross-origin to every other opaque origin. That creates some sharp edges, particularly visible around navigations within `<iframe sandbox>`. `Origin` allows representation of those origins in a way that allows meaningful comparison. To a potential followup question: we do want to explain "origin of a URL", but rather than adding an `.originObject` getter to `URL`, we're running with the `Origin.from(any)` pattern introduced(?) in `Observable`. We could explore adding the functionality to URL as well, if developers tell us that would be helpful? -mike On Wed, Nov 19, 2025 at 5:35 PM Alex Russell <[email protected]> wrote: Thanks for the explainer link, Daniel. Mike: Saw a few considered alternatives in the explainer, which is great. Have you considered how this might be added to the URL object instead? Did you reject that for a reason I couldn't see? Best, Alex On Wednesday, November 19, 2025 at 8:16:27 AM UTC-8 Yoav Weiss wrote: Can you flip all the review bits in chromestatus.com? (enterprise, debuggability and testing are missing) On Wed, Nov 19, 2025 at 4:20 PM Daniel Bratell <[email protected]> wrote: Better explainer than the spec: https://github.com/mikewest/origin-api/blob/main/README.md /Daniel On 2025-11-19 15:46, Chromestatus wrote: *Contact emails* [email protected] *Explainer* https://mikewest.github.io/origin-api *Specification* https://github.com/whatwg/html/pull/11846 *Summary* The origin is a fundamental component of the web’s implementation, essential to both the security and privacy boundaries which user agents maintain. The concept is well-defined between HTML and URL, along with widely-used adjacent concepts like "site". Origins, however, are not directly exposed to web developers. Though there are various origin getters on various objects, each of those returns the ASCII serialization of an origin, not the origin itself. This has a few negative implications. Practically, developers attempting to do same-origin or same-site comparisons when handling serialized origins often get things wrong in ways that lead to vulnerabilities. Philosophically, it seems like a missing security primitive that developers struggle to polyfill accurately. We can address this gap in the platform by introducing an Origin object that encapsulates the origin concept, and provides helpful methods for comparison, serialization, parsing, and etc. *Blink component* Blink>SecurityFeature <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%22> *Web Feature ID* Missing feature *Motivation* *No information provided* *Initial public proposal* https://github.com/whatwg/html/issues/11534 *TAG review* https://github.com/w3ctag/design-reviews/issues/1130 *TAG review status* Issues addressed *Risks* *Interoperability and Compatibility* *No information provided* *Gecko*: No signal (https://github.com/mozilla/standards-positions/ issues/1280) *WebKit*: No signal (https://github.com/WebKit/standards-positions/ issues/538) Tending towards positive. *Web developers*: No signals *Other signals*: *Security* Ideally, this will resolve security risks rather than creating them. That said, it is the first time we're exposing the same-site concept directly, and if developers aren't careful about how they do those comparisons (especially between browsers or browser versions with differing versions of the PSL), there's some risk that they'd cache an old decision that doesn't apply in the current version of the browser. *WebView application risks* Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? *No information provided* *Debuggability* No special support; this is an API debuggable via devtools like any other. *Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?* Yes *Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?* Yes https://wpt.fyi/results/html/browsers/origin/?label=master&; label=experimental&aligned *Flag name on about://flags* *No information provided* *Finch feature name* OriginAPI *Rollout plan* Will ship enabled for all users *Requires code in //chrome?* False *Tracking bug* https://issues.chromium.org/issues/434131026 *Estimated milestones* Shipping on desktop 144 Shipping on Android 144 Shipping on WebView 144 *Anticipated spec changes* Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way). *No information provided* *Link to entry on the Chrome Platform Status* https://chromestatus.com/feature/5095541277065216?gate=6604674545352704 This intent message was generated by Chrome Platform Status <https://chromestatus.com>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/ chromium.org/d/msgid/blink-dev/691dd83d.050a0220.2a427a. 045f.GAE%40google.com <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/691dd83d.050a0220.2a427a.045f.GAE%40google.com?utm_medium=email&utm_source=footer> . -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/ chromium.org/d/msgid/blink-dev/4818ba16-efe4-45ce-ad90- e027b62bbce8%40gmail.com <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4818ba16-efe4-45ce-ad90-e027b62bbce8%40gmail.com?utm_medium=email&utm_source=footer> . -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c46d7c23-bbb3-4c97-83f8-28ebc17c6239n%40chromium.org.
