Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider redirects when defining same-site #1348

Merged
merged 8 commits into from
Feb 22, 2021
Merged

Consider redirects when defining same-site #1348

Changes from 6 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
08c14e7
Consider redirects when defining same-site
Dec 22, 2020
89fb652
Reference HTML instead of FETCH. Align with HTML language
Dec 23, 2020
301edde
Add a date to HTML reference
Jan 25, 2021
eb88cd7
Revert "Add a date to HTML reference"
Jan 26, 2021
d51fb38
Add permanent anchor reference for same site algorithm
Jan 26, 2021
8eb960e
Specifically address both a missing client and a null client
Feb 5, 2021
d396407
Merge remote-tracking branch 'origin/master' into HEAD
Feb 12, 2021
238155c
Add to changelog
Feb 12, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 17 additions & 22 deletions draft-ietf-httpbis-rfc6265bis.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,13 @@ normative:
ins: D. Denicola
name: Domenic Denicola
organization: Google, Inc.
SAMESITE:
target: https://html.spec.whatwg.org/#same-site
title: HTML - Living Standard
date: 2021-01-26
englehardt marked this conversation as resolved.
Show resolved Hide resolved
author:
-
org: WHATWG
SERVICE-WORKERS:
target: http://www.w3.org/TR/service-workers/
title: Service Workers
Expand Down Expand Up @@ -328,7 +335,7 @@ use an up-to-date public suffix list, such as the one maintained by the Mozilla
project at {{PSL}}.

The term "request", as well as a request's "client", "current url", "method",
and "target browsing context", are defined in {{FETCH}}.
"target browsing context", and "url list", are defined in {{FETCH}}.

# Overview

Expand Down Expand Up @@ -939,30 +946,18 @@ following conditions holds:

## "Same-site" and "cross-site" Requests {#same-site-requests}

Two origins, A and B, are considered same-site if the following algorithm
returns true:

1. If A and B are both the same globally unique identifier, return true.

2. If A and B are both scheme/host/port triples:

1. If A's scheme does not equal B's scheme, return false.

2. Let hostA be A's host, and hostB be B's host.

3. If hostA equals hostB and hostA's registrable domain is null, return
true.

4. If hostA's registrable domain equals hostB's registrable domain and is
non-null, return true.
Two origins are same-site if they satisfy the "same site" criteria defined in
{{SAMESITE}}. A request is "same-site" if the following criteria are true:

3. Return false.
1. The request is not the result of a cross-site redirect. That is,
the origin of every url in the request's url list is same-site with the
request's current url's origin.
englehardt marked this conversation as resolved.
Show resolved Hide resolved

Note: The port component of the origins is not considered.
2. The target's URI's origin is same-site with the request's client's "site
for cookies" (which is an origin), or if the request has no client or the
request's client is null.

A request is "same-site" if its target's URI's origin is same-site with the
request's client's "site for cookies" (which is an origin), or if the request
has no client. The request is otherwise "cross-site".
The request is otherwise "cross-site".

The request's client's "site for cookies" is calculated depending upon its
client's type, as described in the following subsections:
Expand Down