[webkit-dev] Request for position on the Origin-Isolation header
Domenic Denicola
d at domenic.me
Fri Aug 21 07:52:56 PDT 2020
Thanks Ryosuke!
From: Anne van Kesteren <annevk at annevk.nl>
> On Fri, Aug 21, 2020 at 2:41 AM Ryosuke Niwa <rniwa at webkit.org> wrote:
>> I feel like I saw some discussions of also differentiating based on
>> protocol (treating http://webkit.org and https://webkit.org
>> differently). Do you know you've already had such a discussion and if
>> so what the outcome of that discussion was?
>
> The scheme is already part of an origin so that is definitely a boundary for this feature. However, I guess you're asking about the "normal" website security boundary, which is site (roughly scheme + registrable domain, exact definition in HTML). Site historically lacked scheme, but that was changed. There are still some features (primarily cookies) that compare sites and ignore the scheme (this operation is also defined in HTML), but those too have proposals to move away from that.
In addition to this, I'll note that the feature is currently specced to only work on secure contexts; on non-secure contexts the header is ignored. So, non-secure pages will always end up in the site-keyed agent cluster, i.e. there is no way to use this header to isolate http://example.com from http://sub.example.com/ like you can do for the https: counterparts.
More information about the webkit-dev
mailing list