LGTM2
On Wednesday, December 3, 2025 at 11:07:16 AM UTC-5 Chris Harrelson wrote:
LGTM1
I see the spec PR has been approved, which is great. Please make
sure that lands before the feature fully ships.
On Tue, Dec 2, 2025 at 12:17 AM Mike West <[email protected]> wrote:
Friendly, post-holiday ping. :)
If there's additional information I can provide, I'd be happy to.
-mike
On Thursday, November 20, 2025 at 5:41:06 PM UTC+1 Mike West
wrote:
(Apologies, Alex; you're getting this twice because I
replied instead of reply-all'd.)
Daniel: Thanks for correcting my link to the explainer. :)
I've updated chromestatus accordingly.
Yoav: I've requested reviews for the missing flags.
Alex: We discussed this in the TAG review as well,
https://github.com/w3ctag/design-reviews/issues/1130#issuecomment-3229508992
<https://github.com/w3ctag/design-reviews/issues/1130#issuecomment-3229508992>
has some potentially helpful thoughts. TL;DR: the core
thing that URL can't reasonably handle is an opaque
origin. These should be same-origin with themselves, and
cross-origin to every other opaque origin. That creates
some sharp edges, particularly visible around navigations
within `<iframe sandbox>`. `Origin` allows representation
of those origins in a way that allows meaningful comparison.
To a potential followup question: we do want to explain
"origin of a URL", but rather than adding an
`.originObject` getter to `URL`, we're running with the
`Origin.from(any)` pattern introduced(?) in `Observable`.
We could explore adding the functionality to URL as well,
if developers tell us that would be helpful?
-mike
On Wed, Nov 19, 2025 at 5:35 PM Alex Russell
<[email protected]> wrote:
Thanks for the explainer link, Daniel.
Mike:
Saw a few considered alternatives in the explainer,
which is great. Have you considered how this might be
added to the URL object instead? Did you reject that
for a reason I couldn't see?
Best,
Alex
On Wednesday, November 19, 2025 at 8:16:27 AM UTC-8
Yoav Weiss wrote:
Can you flip all the review bits in
chromestatus.com <http://chromestatus.com>?
(enterprise, debuggability and testing are missing)
On Wed, Nov 19, 2025 at 4:20 PM Daniel Bratell
<[email protected]> wrote:
Better explainer than the spec:
https://github.com/mikewest/origin-api/blob/main/README.md
<https://github.com/mikewest/origin-api/blob/main/README.md>
/Daniel
On 2025-11-19 15:46, Chromestatus wrote:
*Contact emails*
[email protected]
*Explainer*
https://mikewest.github.io/origin-api
<https://mikewest.github.io/origin-api>
*Specification*
https://github.com/whatwg/html/pull/11846
<https://github.com/whatwg/html/pull/11846>
*Summary*
The origin is a fundamental component of the
web’s implementation, essential to both the
security and privacy boundaries which user
agents maintain. The concept is well-defined
between HTML and URL, along with widely-used
adjacent concepts like "site". Origins,
however, are not directly exposed to web
developers. Though there are various origin
getters on various objects, each of those
returns the ASCII serialization of an origin,
not the origin itself. This has a few
negative implications. Practically,
developers attempting to do same-origin or
same-site comparisons when handling
serialized origins often get things wrong in
ways that lead to vulnerabilities.
Philosophically, it seems like a missing
security primitive that developers struggle
to polyfill accurately. We can address this
gap in the platform by introducing an Origin
object that encapsulates the origin concept,
and provides helpful methods for comparison,
serialization, parsing, and etc.
*Blink component*
Blink>SecurityFeature
<https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%22>
*Web Feature ID*
Missing feature
*Motivation*
/No information provided/
*Initial public proposal*
https://github.com/whatwg/html/issues/11534
<https://github.com/whatwg/html/issues/11534>
*TAG review*
https://github.com/w3ctag/design-reviews/issues/1130
<https://github.com/w3ctag/design-reviews/issues/1130>
*TAG review status*
Issues addressed
*Risks*
*Interoperability and Compatibility*
/No information provided/
/Gecko/: No
signal
(https://github.com/mozilla/standards-positions/issues/1280
<https://github.com/mozilla/standards-positions/issues/1280>)
/WebKit/: No
signal
(https://github.com/WebKit/standards-positions/issues/538
<https://github.com/WebKit/standards-positions/issues/538>) Tending
towards positive.
/Web developers/: No signals
/Other signals/:
*Security*
Ideally, this will resolve security risks
rather than creating them. That said, it is
the first time we're exposing the same-site
concept directly, and if developers aren't
careful about how they do those comparisons
(especially between browsers or browser
versions with differing versions of the PSL),
there's some risk that they'd cache an old
decision that doesn't apply in the current
version of the browser.
*WebView application risks*
Does this intent deprecate or change behavior
of existing APIs, such that it has
potentially high risk for Android
WebView-based applications?
/No information provided/
*Debuggability*
No special support; this is an API debuggable
via devtools like any other.
*Will this feature be supported on all six
Blink platforms (Windows, Mac, Linux,
ChromeOS, Android, and Android WebView)?*
Yes
*Is this feature fully tested by
web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?*
Yes
https://wpt.fyi/results/html/browsers/origin/?label=master&label=experimental&aligned
<https://wpt.fyi/results/html/browsers/origin/?label=master&label=experimental&aligned>
*Flag name on about://flags*
/No information provided/
*Finch feature name*
OriginAPI
*Rollout plan*
Will ship enabled for all users
*Requires code in //chrome?*
False
*Tracking bug*
https://issues.chromium.org/issues/434131026
<https://issues.chromium.org/issues/434131026>
*Estimated milestones*
Shipping on desktop 144 Shipping on Android
144 Shipping on WebView 144
*Anticipated spec changes*
Open questions about a feature may be a
source of future web compat or interop
issues. Please list open issues (e.g. links
to known github issues in the project for the
feature specification) whose resolution may
introduce web compat/interop risk (e.g.,
changing to naming or structure of the API in
a non-backward-compatible way).
/No information provided/
*Link to entry on the Chrome Platform Status*
https://chromestatus.com/feature/5095541277065216?gate=6604674545352704
<https://chromestatus.com/feature/5095541277065216?gate=6604674545352704>
This intent message was generated by Chrome
Platform Status <https://chromestatus.com>.
--
You received this message because you are
subscribed to the Google Groups "blink-dev"
group.
To unsubscribe from this group and stop
receiving emails from it, send an email to
[email protected]
<mailto:[email protected]>.
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/691dd83d.050a0220.2a427a.045f.GAE%40google.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/691dd83d.050a0220.2a427a.045f.GAE%40google.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are
subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop
receiving emails from it, send an email to
[email protected]
<mailto:[email protected]>.
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4818ba16-efe4-45ce-ad90-e027b62bbce8%40gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4818ba16-efe4-45ce-ad90-e027b62bbce8%40gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the
Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from
it, send an email to [email protected]
<mailto:[email protected]>.
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c46d7c23-bbb3-4c97-83f8-28ebc17c6239n%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/c46d7c23-bbb3-4c97-83f8-28ebc17c6239n%40chromium.org?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/eebb8c74-4bce-469b-a8be-644f4b91c3f7n%40chromium.org
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/eebb8c74-4bce-469b-a8be-644f4b91c3f7n%40chromium.org?utm_medium=email&utm_source=footer>.
