Thanks Ryosuke!

From: Anne van Kesteren <ann...@annevk.nl> 

> On Fri, Aug 21, 2020 at 2:41 AM Ryosuke Niwa <rn...@webkit.org> wrote:
>> I feel like I saw some discussions of also differentiating based on 
>> protocol (treating http://webkit.org and https://webkit.org 
>> differently). Do you know you've already had such a discussion and if 
>> so what the outcome of that discussion was?
>
> The scheme is already part of an origin so that is definitely a boundary for 
> this feature. However, I guess you're asking about the "normal" website 
> security boundary, which is site (roughly scheme + registrable domain, exact 
> definition in HTML). Site historically lacked scheme, but that was changed. 
> There are still some features (primarily cookies) that compare sites and 
> ignore the scheme (this operation is also defined in HTML), but those too 
> have proposals to move away from that.

In addition to this, I'll note that the feature is currently specced to only 
work on secure contexts; on non-secure contexts the header is ignored. So, 
non-secure pages will always end up in the site-keyed agent cluster, i.e. there 
is no way to use this header to isolate http://example.com from 
http://sub.example.com/ like you can do for the https: counterparts.
_______________________________________________
webkit-dev mailing list
webkit-dev@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-dev

Reply via email to