-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use same origin checks instead of same origin-domain ones #236
Conversation
Please add reviewers if you think we might need. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would have been good with a more descriptive commit message
I ll change it when merging |
@kenchris How about: " [1] https://html.spec.whatwg.org/multipage/browsers.html#relaxing-the-same-origin-restriction |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm too
In addition to improving the PR/commit message, please use a better title too: "fix A to B" is not a very usual construct. How about something like "Use same origin checks instead of same origin-domain ones"?
From different sources [1][2][3], it looks like same origin-domain is not anymore recommended. There is no obvious reason to keep same origin-domain in compute pressure specifications. Instead same origin seems to be a better security check. [1] https://html.spec.whatwg.org/multipage/browsers.html#relaxing-the-same-origin-restriction [2] https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/platform/weborigin/security_origin.h;l=313;drc=933be5e5db24585647edcd7f507ba2d48c5757c8 [3] https://dontcallmedom.github.io/webdex/s.html Fixes w3c#187
Fixes #187
Preview | Diff