Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use same origin checks instead of same origin-domain ones #236

Merged
merged 1 commit into from
Oct 2, 2023
Merged

Use same origin checks instead of same origin-domain ones #236

merged 1 commit into from
Oct 2, 2023

Conversation

arskama
Copy link
Contributor

@arskama arskama commented Sep 28, 2023
edited by pr-preview bot
Loading

Fixes #187

Preview | Diff

@arskama
Copy link
Contributor Author

arskama commented Sep 28, 2023

Please add reviewers if you think we might need.

kenchris
kenchris approved these changes Sep 28, 2023
View reviewed changes
Copy link
Contributor

@kenchris kenchris left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would have been good with a more descriptive commit message

@arskama
Copy link
Contributor Author

arskama commented Sep 29, 2023

Would have been good with a more descriptive commit message

I ll change it when merging

@arskama
Copy link
Contributor Author

arskama commented Sep 29, 2023
edited
Loading

@kenchris How about:

"
From different sources [1][2][3], it looks like same origin-domain is not anymore recommended.
There is no obvious reason to keep same origin-domain in compute pressure specifications.
Instead same origin seems to be a better security check.

[1] https://html.spec.whatwg.org/multipage/browsers.html#relaxing-the-same-origin-restriction
[2] https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/platform/weborigin/security_origin.h;l=313;drc=933be5e5db24585647edcd7f507ba2d48c5757c8
[3] https://dontcallmedom.github.io/webdex/s.html
"

rakuco
rakuco approved these changes Sep 29, 2023
View reviewed changes
Copy link
Member

@rakuco rakuco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm too

In addition to improving the PR/commit message, please use a better title too: "fix A to B" is not a very usual construct. How about something like "Use same origin checks instead of same origin-domain ones"?

@arskama
Use same origin checks instead of same origin-domain ones
218a80b 
From different sources [1][2][3], it looks like same origin-domain is not anymore recommended.
There is no obvious reason to keep same origin-domain in compute pressure specifications.
Instead same origin seems to be a better security check.

[1] https://html.spec.whatwg.org/multipage/browsers.html#relaxing-the-same-origin-restriction
[2] https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/platform/weborigin/security_origin.h;l=313;drc=933be5e5db24585647edcd7f507ba2d48c5757c8
[3] https://dontcallmedom.github.io/webdex/s.html

Fixes w3c#187
@arskama arskama changed the title Fix same origin-domain to same origin Use same origin checks instead of same origin-domain ones Oct 2, 2023
@arskama arskama merged commit 34af5b1 into w3c:main Oct 2, 2023
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rakuco rakuco rakuco approved these changes

@kenchris kenchris kenchris approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Does the privacy test need a same origin-domain or a same origin check?
3 participants
@arskama @rakuco @kenchris