Thanks Ryosuke!

From: Anne van Kesteren <> 

> On Fri, Aug 21, 2020 at 2:41 AM Ryosuke Niwa <> wrote:
>> I feel like I saw some discussions of also differentiating based on 
>> protocol (treating and 
>> differently). Do you know you've already had such a discussion and if 
>> so what the outcome of that discussion was?
> The scheme is already part of an origin so that is definitely a boundary for 
> this feature. However, I guess you're asking about the "normal" website 
> security boundary, which is site (roughly scheme + registrable domain, exact 
> definition in HTML). Site historically lacked scheme, but that was changed. 
> There are still some features (primarily cookies) that compare sites and 
> ignore the scheme (this operation is also defined in HTML), but those too 
> have proposals to move away from that.

In addition to this, I'll note that the feature is currently specced to only 
work on secure contexts; on non-secure contexts the header is ignored. So, 
non-secure pages will always end up in the site-keyed agent cluster, i.e. there 
is no way to use this header to isolate from like you can do for the https: counterparts.
webkit-dev mailing list

Reply via email to