Thanks Ryosuke! From: Anne van Kesteren <annevk@annevk.nl>
On Fri, Aug 21, 2020 at 2:41 AM Ryosuke Niwa <rniwa@webkit.org> wrote:
I feel like I saw some discussions of also differentiating based on protocol (treating http://webkit.org and https://webkit.org differently). Do you know you've already had such a discussion and if so what the outcome of that discussion was?
The scheme is already part of an origin so that is definitely a boundary for this feature. However, I guess you're asking about the "normal" website security boundary, which is site (roughly scheme + registrable domain, exact definition in HTML). Site historically lacked scheme, but that was changed. There are still some features (primarily cookies) that compare sites and ignore the scheme (this operation is also defined in HTML), but those too have proposals to move away from that.
In addition to this, I'll note that the feature is currently specced to only work on secure contexts; on non-secure contexts the header is ignored. So, non-secure pages will always end up in the site-keyed agent cluster, i.e. there is no way to use this header to isolate http://example.com from http://sub.example.com/ like you can do for the https: counterparts.