Better explainer than the spec:
https://github.com/mikewest/origin-api/blob/main/README.md
/Daniel
On 2025-11-19 15:46, Chromestatus wrote:
*Contact emails*
[email protected]
*Explainer*
https://mikewest.github.io/origin-api
*Specification*
https://github.com/whatwg/html/pull/11846
*Summary*
The origin is a fundamental component of the web’s implementation,
essential to both the security and privacy boundaries which user
agents maintain. The concept is well-defined between HTML and URL,
along with widely-used adjacent concepts like "site". Origins,
however, are not directly exposed to web developers. Though there are
various origin getters on various objects, each of those returns the
ASCII serialization of an origin, not the origin itself. This has a
few negative implications. Practically, developers attempting to do
same-origin or same-site comparisons when handling serialized origins
often get things wrong in ways that lead to vulnerabilities.
Philosophically, it seems like a missing security primitive that
developers struggle to polyfill accurately. We can address this gap in
the platform by introducing an Origin object that encapsulates the
origin concept, and provides helpful methods for comparison,
serialization, parsing, and etc.
*Blink component*
Blink>SecurityFeature
<https://issues.chromium.org/issues?q=customfield1222907:%22Blink%3ESecurityFeature%22>
*Web Feature ID*
Missing feature
*Motivation*
/No information provided/
*Initial public proposal*
https://github.com/whatwg/html/issues/11534
*TAG review*
https://github.com/w3ctag/design-reviews/issues/1130
*TAG review status*
Issues addressed
*Risks*
*Interoperability and Compatibility*
/No information provided/
/Gecko/: No
signal (https://github.com/mozilla/standards-positions/issues/1280)
/WebKit/: No
signal (https://github.com/WebKit/standards-positions/issues/538) Tending
towards positive.
/Web developers/: No signals
/Other signals/:
*Security*
Ideally, this will resolve security risks rather than creating them.
That said, it is the first time we're exposing the same-site concept
directly, and if developers aren't careful about how they do those
comparisons (especially between browsers or browser versions with
differing versions of the PSL), there's some risk that they'd cache an
old decision that doesn't apply in the current version of the browser.
*WebView application risks*
Does this intent deprecate or change behavior of existing APIs, such
that it has potentially high risk for Android WebView-based applications?
/No information provided/
*Debuggability*
No special support; this is an API debuggable via devtools like any
other.
*Will this feature be supported on all six Blink platforms (Windows,
Mac, Linux, ChromeOS, Android, and Android WebView)?*
Yes
*Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?*
Yes
https://wpt.fyi/results/html/browsers/origin/?label=master&label=experimental&aligned
<https://wpt.fyi/results/html/browsers/origin/?label=master&label=experimental&aligned>
*Flag name on about://flags*
/No information provided/
*Finch feature name*
OriginAPI
*Rollout plan*
Will ship enabled for all users
*Requires code in //chrome?*
False
*Tracking bug*
https://issues.chromium.org/issues/434131026
*Estimated milestones*
Shipping on desktop 144
Shipping on Android 144
Shipping on WebView 144
*Anticipated spec changes*
Open questions about a feature may be a source of future web compat or
interop issues. Please list open issues (e.g. links to known github
issues in the project for the feature specification) whose resolution
may introduce web compat/interop risk (e.g., changing to naming or
structure of the API in a non-backward-compatible way).
/No information provided/
*Link to entry on the Chrome Platform Status*
https://chromestatus.com/feature/5095541277065216?gate=6604674545352704
This intent message was generated by Chrome Platform Status
<https://chromestatus.com>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/691dd83d.050a0220.2a427a.045f.GAE%40google.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/691dd83d.050a0220.2a427a.045f.GAE%40google.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4818ba16-efe4-45ce-ad90-e027b62bbce8%40gmail.com.
