take port into account for same-origin domain check #2792
Comments
|
The reason I can think of is that it might break sites (which could be unseen intranet deployments) and user expectations (it's always been a stated feature). |
annevk
added
needs compat analysis
needs implementer interest
|
I've added use counters in Blink. Apparently, document.domain is set when the origin has the default port on 0.009705% of page loads, and with a non-default port for 0.000005% of page loads. Note that I'd be interested in implementing this :) |
|
What do we do with cookies and WebAuthn? (They're meant to reuse "is a registrable domain suffix of or is equal to".) |
|
HSTS's behavior is another consideration here -- enforcing HSTS Policy effectively uses "is a registrable domain suffix of or is equal to" matching, regardless of the presence of an explicit port. see also: https://tools.ietf.org/html/rfc6797#section-8.3 and https://tools.ietf.org/html/rfc6797#appendix-A item 6. See also: [JacksonBarth2008] http://seclab.stanford.edu/websec/origins/fgo.pdf |
|
Given whatwg/fetch#687 (comment) and w3c/webauthn#873 I suggest we close this. If we cannot get this adopted for new mechanisms I don't think it's worth the effort to try to enable it for |
|
Closing due to lack of success in getting this idea adopted in old or new technology. |
we should consider not ignoring the port when comparing two origins with "same-origin domain".
I added a counter to Blink for how often we see document.domain being set when the port of the origin is not the default port, and so far (on beta) it looks like that almost never happens.
I'll report back once we hit stable.
Is there a fundamental reason why we can't do that?
/cc @mikewest @annevk @domenic @bzbarsky
The text was updated successfully, but these errors were encountered: