Thanks Ryosuke! From: Anne van Kesteren <ann...@annevk.nl>
> On Fri, Aug 21, 2020 at 2:41 AM Ryosuke Niwa <rn...@webkit.org> wrote: >> I feel like I saw some discussions of also differentiating based on >> protocol (treating http://webkit.org and https://webkit.org >> differently). Do you know you've already had such a discussion and if >> so what the outcome of that discussion was? > > The scheme is already part of an origin so that is definitely a boundary for > this feature. However, I guess you're asking about the "normal" website > security boundary, which is site (roughly scheme + registrable domain, exact > definition in HTML). Site historically lacked scheme, but that was changed. > There are still some features (primarily cookies) that compare sites and > ignore the scheme (this operation is also defined in HTML), but those too > have proposals to move away from that. In addition to this, I'll note that the feature is currently specced to only work on secure contexts; on non-secure contexts the header is ignored. So, non-secure pages will always end up in the site-keyed agent cluster, i.e. there is no way to use this header to isolate http://example.com from http://sub.example.com/ like you can do for the https: counterparts. _______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev