Thanks Ryosuke!
From: Anne van Kesteren
> On Fri, Aug 21, 2020 at 2:41 AM Ryosuke Niwa wrote:
>> I feel like I saw some discussions of also differentiating based on
>> protocol (treating http://webkit.org and https://webkit.org
>> differently). Do you know you've already had such a discussion and if
>> so what the outcome of that discussion was?
>
> The scheme is already part of an origin so that is definitely a boundary for
> this feature. However, I guess you're asking about the "normal" website
> security boundary, which is site (roughly scheme + registrable domain, exact
> definition in HTML). Site historically lacked scheme, but that was changed.
> There are still some features (primarily cookies) that compare sites and
> ignore the scheme (this operation is also defined in HTML), but those too
> have proposals to move away from that.
In addition to this, I'll note that the feature is currently specced to only
work on secure contexts; on non-secure contexts the header is ignored. So,
non-secure pages will always end up in the site-keyed agent cluster, i.e. there
is no way to use this header to isolate http://example.com from
http://sub.example.com/ like you can do for the https: counterparts.
___
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev