LGTM1 I see the spec PR has been approved, which is great. Please make sure that lands before the feature fully ships.
On Tue, Dec 2, 2025 at 12:17 AM Mike West <[email protected]> wrote: > Friendly, post-holiday ping. :) > > If there's additional information I can provide, I'd be happy to. > > -mike > > On Thursday, November 20, 2025 at 5:41:06 PM UTC+1 Mike West wrote: > > (Apologies, Alex; you're getting this twice because I replied instead of > reply-all'd.) > > Daniel: Thanks for correcting my link to the explainer. :) I've updated > chromestatus accordingly. > > Yoav: I've requested reviews for the missing flags. > > Alex: We discussed this in the TAG review as well, https://github.com/ > w3ctag/design-reviews/issues/1130#issuecomment-3229508992 has some > potentially helpful thoughts. TL;DR: the core thing that URL can't > reasonably handle is an opaque origin. These should be same-origin with > themselves, and cross-origin to every other opaque origin. That creates > some sharp edges, particularly visible around navigations within `<iframe > sandbox>`. `Origin` allows representation of those origins in a way that > allows meaningful comparison. > > To a potential followup question: we do want to explain "origin of a URL", > but rather than adding an `.originObject` getter to `URL`, we're running > with the `Origin.from(any)` pattern introduced(?) in `Observable`. We could > explore adding the functionality to URL as well, if developers tell us that > would be helpful? > > -mike > > On Wed, Nov 19, 2025 at 5:35 PM Alex Russell <[email protected]> > wrote: > > Thanks for the explainer link, Daniel. > > Mike: > > Saw a few considered alternatives in the explainer, which is great. Have > you considered how this might be added to the URL object instead? Did you > reject that for a reason I couldn't see? > > Best, > > Alex > > On Wednesday, November 19, 2025 at 8:16:27 AM UTC-8 Yoav Weiss wrote: > > Can you flip all the review bits in chromestatus.com? (enterprise, > debuggability and testing are missing) > > On Wed, Nov 19, 2025 at 4:20 PM Daniel Bratell <[email protected]> > wrote: > > Better explainer than the spec: > > https://github.com/mikewest/origin-api/blob/main/README.md > > /Daniel > On 2025-11-19 15:46, Chromestatus wrote: > > *Contact emails* > [email protected] > > *Explainer* > https://mikewest.github.io/origin-api > > *Specification* > https://github.com/whatwg/html/pull/11846 > > *Summary* > The origin is a fundamental component of the web’s implementation, > essential to both the security and privacy boundaries which user agents > maintain. The concept is well-defined between HTML and URL, along with > widely-used adjacent concepts like "site". Origins, however, are not > directly exposed to web developers. Though there are various origin getters > on various objects, each of those returns the ASCII serialization of an > origin, not the origin itself. This has a few negative implications. > Practically, developers attempting to do same-origin or same-site > comparisons when handling serialized origins often get things wrong in ways > that lead to vulnerabilities. Philosophically, it seems like a missing > security primitive that developers struggle to polyfill accurately. We can > address this gap in the platform by introducing an Origin object that > encapsulates the origin concept, and provides helpful methods for > comparison, serialization, parsing, and etc. > > *Blink component* > Blink>SecurityFeature > <https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%22> > > *Web Feature ID* > Missing feature > > *Motivation* > *No information provided* > > *Initial public proposal* > https://github.com/whatwg/html/issues/11534 > > *TAG review* > https://github.com/w3ctag/design-reviews/issues/1130 > > *TAG review status* > Issues addressed > > *Risks* > > > *Interoperability and Compatibility* > *No information provided* > > *Gecko*: No signal (https://github.com/mozilla/standards-positions/ > issues/1280) > > *WebKit*: No signal (https://github.com/WebKit/standards-positions/ > issues/538) Tending towards positive. > > *Web developers*: No signals > > *Other signals*: > > *Security* > Ideally, this will resolve security risks rather than creating them. That > said, it is the first time we're exposing the same-site concept directly, > and if developers aren't careful about how they do those comparisons > (especially between browsers or browser versions with differing versions of > the PSL), there's some risk that they'd cache an old decision that doesn't > apply in the current version of the browser. > > *WebView application risks* > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > *No information provided* > > > *Debuggability* > No special support; this is an API debuggable via devtools like any other. > > *Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, ChromeOS, Android, and Android WebView)?* > Yes > > *Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?* > Yes > https://wpt.fyi/results/html/browsers/origin/?label=master&; > label=experimental&aligned > > *Flag name on about://flags* > *No information provided* > > *Finch feature name* > OriginAPI > > *Rollout plan* > Will ship enabled for all users > > *Requires code in //chrome?* > False > > *Tracking bug* > https://issues.chromium.org/issues/434131026 > > *Estimated milestones* > Shipping on desktop 144 Shipping on Android 144 Shipping on WebView 144 > > *Anticipated spec changes* > > Open questions about a feature may be a source of future web compat or > interop issues. Please list open issues (e.g. links to known github issues > in the project for the feature specification) whose resolution may > introduce web compat/interop risk (e.g., changing to naming or structure of > the API in a non-backward-compatible way). > *No information provided* > > *Link to entry on the Chrome Platform Status* > https://chromestatus.com/feature/5095541277065216?gate=6604674545352704 > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com>. > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit https://groups.google.com/a/ > chromium.org/d/msgid/blink-dev/691dd83d.050a0220.2a427a. > 045f.GAE%40google.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/691dd83d.050a0220.2a427a.045f.GAE%40google.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > > To view this discussion visit https://groups.google.com/a/ > chromium.org/d/msgid/blink-dev/4818ba16-efe4-45ce-ad90- > e027b62bbce8%40gmail.com > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4818ba16-efe4-45ce-ad90-e027b62bbce8%40gmail.com?utm_medium=email&utm_source=footer> > . > > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c46d7c23-bbb3-4c97-83f8-28ebc17c6239n%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c46d7c23-bbb3-4c97-83f8-28ebc17c6239n%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw9_2qwPKx5GH7Js7d9eDA%3DYD-0Dce3MdztcW46ZOFOhKg%40mail.gmail.com.
