[webkit-dev] Request for position on the Origin-Isolation header
Anne van Kesteren
annevk at annevk.nl
Fri Aug 21 00:08:51 PDT 2020
On Fri, Aug 21, 2020 at 2:41 AM Ryosuke Niwa <rniwa at webkit.org> wrote:
> I feel like I saw some discussions of also differentiating based on
> protocol (treating http://webkit.org and https://webkit.org
> differently). Do you know you've already had such a discussion and if
> so what the outcome of that discussion was?
The scheme is already part of an origin so that is definitely a
boundary for this feature. However, I guess you're asking about the
"normal" website security boundary, which is site (roughly scheme +
registrable domain, exact definition in HTML). Site historically
lacked scheme, but that was changed. There are still some features
(primarily cookies) that compare sites and ignore the scheme (this
operation is also defined in HTML), but those too have proposals to
move away from that.
More information about the webkit-dev
mailing list