Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trailing dot when determining same-site-edness for Sec-Fetch-Site #15

Closed
anforowicz opened this issue Feb 20, 2019 · 4 comments · Fixed by web-platform-tests/wpt#16036
Closed

Trailing dot when determining same-site-edness for Sec-Fetch-Site #15

anforowicz opened this issue Feb 20, 2019 · 4 comments · Fixed by web-platform-tests/wpt#16036

Comments

@anforowicz
Copy link

Should the spec explicitly spell out how to treat the trailing dot in hostnames?

For example, consider

In the example above, what should be the value of Sec-Fetch-Site? cross-site or same-origin?
@mikewest
Copy link
Member

Trailing dots are dumb. :(

They're separate origins (with distinct storage, etc) in at least Chrome and Firefox, and are distinct origins per the spec. I don't think we should carve out something special in this spec (though we might want to canonicalize in some other spec: see the issue in URL at https://url.spec.whatwg.org/#host-equivalence).

I think we'd actually end up with same-site with the current algorithms, as both some.example.com and some.example.com. would have com as their TLD, and example.com as their registerable domain, so they wouldn't compare as same-origin, but also wouldn't be cross-site.

@mikewest
Copy link
Member

mikewest commented Mar 23, 2019
edited
Loading

I'll add an explicit test to WPT and close this out, given the agreement between browsers and specs. That'll land in web-platform-tests/wpt#16036 (derived from https://chromium-review.googlesource.com/c/chromium/src/+/1536180) once @sleevi explains to me whether Chromium is wrong or I'm wrong about how trailing dots intersect with registrable domains. :)

Merged
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Mar 23, 2019
@mikewest @chromium-wpt-export-bot
Verify Sec-Fetch-Site is correct for domains with trailing dots.
88d8cf9 
`example.com` != `example.com.`. They ought to have the same registrable
domain, and therefore compare as `same-site`, rather than `same-origin`.

Addresses w3c/webappsec-fetch-metadata#15.

Bug: 843478
Change-Id: Ic71afeda69f274c23c19608177756d882307a59d
@mikewest mikewest mentioned this issue Mar 26, 2019
Open
@mikewest
Copy link
Member

I'm going to land a test marking these as cross-site, as that's the behavior Chrome displays, and I think it's the behavior Firefox would display if it implemented this feature (though I'm kinda guessing by skimming though code in Necko I don't understand!). publicsuffix/list#792 should resolve this one way or the other, and I'll update the tests when it does.

chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Mar 26, 2019
@mikewest @chromium-wpt-export-bot
Verify Sec-Fetch-Site is correct for domains with trailing dots.
2db5636 
`example.com` != `example.com.`. These are clearly distinct origins,
and we don't currently consider them to have the same registrable
domain (though there's a bit of a question about that. See
publicsuffix/list#792), so they ought
to compare as `cross-site`

This patch adds a test for this behavior, and teaches the test harness
to resolve domains that end in `.test.`.

Closes w3c/webappsec-fetch-metadata#15.

Bug: 843478
Change-Id: Ic71afeda69f274c23c19608177756d882307a59d
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Mar 26, 2019
@mikewest @chromium-wpt-export-bot
Verify Sec-Fetch-Site is correct for domains with trailing dots.
405c943 
`example.com` != `example.com.`. These are clearly distinct origins,
and we don't currently consider them to have the same registrable
domain (though there's a bit of a question about that. See
publicsuffix/list#792), so they ought
to compare as `cross-site`

This patch adds a test for this behavior, and teaches the test harness
to resolve domains that end in `.test.`.

Closes w3c/webappsec-fetch-metadata#15.

Bug: 843478
Change-Id: Ic71afeda69f274c23c19608177756d882307a59d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1536180
Commit-Queue: Mike West <[email protected]>
Reviewed-by: Łukasz Anforowicz <[email protected]>
Cr-Commit-Position: refs/heads/master@{#644261}
chromium-wpt-export-bot pushed a commit to web-platform-tests/wpt that referenced this issue Mar 26, 2019
@mikewest @chromium-wpt-export-bot
Verify Sec-Fetch-Site is correct for domains with trailing dots.
22be9a9 
`example.com` != `example.com.`. These are clearly distinct origins,
and we don't currently consider them to have the same registrable
domain (though there's a bit of a question about that. See
publicsuffix/list#792), so they ought
to compare as `cross-site`

This patch adds a test for this behavior, and teaches the test harness
to resolve domains that end in `.test.`.

Closes w3c/webappsec-fetch-metadata#15.

Bug: 843478
Change-Id: Ic71afeda69f274c23c19608177756d882307a59d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1536180
Commit-Queue: Mike West <[email protected]>
Reviewed-by: Łukasz Anforowicz <[email protected]>
Cr-Commit-Position: refs/heads/master@{#644261}
aarongable pushed a commit to chromium/chromium that referenced this issue Mar 26, 2019
@mikewest
Verify Sec-Fetch-Site is correct for domains with trailing dots.
0666647 
`example.com` != `example.com.`. These are clearly distinct origins,
and we don't currently consider them to have the same registrable
domain (though there's a bit of a question about that. See
publicsuffix/list#792), so they ought
to compare as `cross-site`

This patch adds a test for this behavior, and teaches the test harness
to resolve domains that end in `.test.`.

Closes w3c/webappsec-fetch-metadata#15.

Bug: 843478
Change-Id: Ic71afeda69f274c23c19608177756d882307a59d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1536180
Commit-Queue: Mike West <[email protected]>
Reviewed-by: Łukasz Anforowicz <[email protected]>
Cr-Commit-Position: refs/heads/master@{#644261}
@mikewest
Copy link
Member

Tests landed, will continue the conversation around the PSL over there. 👉

moz-v2v-gh pushed a commit to mozilla/gecko-dev that referenced this issue Apr 23, 2019
@mikewest @jgraham
Bug 1539632 [wpt PR 16036] - Verify Sec-Fetch-Site is correct for d…
377eeeb 
…omains with trailing dots., a=testonly

Automatic update from web-platform-tests
Verify `Sec-Fetch-Site` is correct for domains with trailing dots.

`example.com` != `example.com.`. These are clearly distinct origins,
and we don't currently consider them to have the same registrable
domain (though there's a bit of a question about that. See
publicsuffix/list#792), so they ought
to compare as `cross-site`

This patch adds a test for this behavior, and teaches the test harness
to resolve domains that end in `.test.`.

Closes w3c/webappsec-fetch-metadata#15.

Bug: 843478
Change-Id: Ic71afeda69f274c23c19608177756d882307a59d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1536180
Commit-Queue: Mike West <[email protected]>
Reviewed-by: Łukasz Anforowicz <[email protected]>
Cr-Commit-Position: refs/heads/master@{#644261}

--

wpt-commits: 22be9a97638436380f88d871ecefac3f1aebfe53
wpt-pr: 16036
moz-v2v-gh pushed a commit to mozilla/gecko-dev that referenced this issue Apr 24, 2019
@mikewest @jgraham
Bug 1539632 [wpt PR 16036] - Verify Sec-Fetch-Site is correct for d…
98320ab 
…omains with trailing dots., a=testonly

Automatic update from web-platform-tests
Verify `Sec-Fetch-Site` is correct for domains with trailing dots.

`example.com` != `example.com.`. These are clearly distinct origins,
and we don't currently consider them to have the same registrable
domain (though there's a bit of a question about that. See
publicsuffix/list#792), so they ought
to compare as `cross-site`

This patch adds a test for this behavior, and teaches the test harness
to resolve domains that end in `.test.`.

Closes w3c/webappsec-fetch-metadata#15.

Bug: 843478
Change-Id: Ic71afeda69f274c23c19608177756d882307a59d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1536180
Commit-Queue: Mike West <[email protected]>
Reviewed-by: Łukasz Anforowicz <[email protected]>
Cr-Commit-Position: refs/heads/master@{#644261}

--

wpt-commits: 22be9a97638436380f88d871ecefac3f1aebfe53
wpt-pr: 16036
mykmelez pushed a commit to mykmelez/gecko that referenced this issue Apr 25, 2019
@mikewest @jgraham
Bug 1539632 [wpt PR 16036] - Verify Sec-Fetch-Site is correct for d…
62951e2 
…omains with trailing dots., a=testonly

Automatic update from web-platform-tests
Verify `Sec-Fetch-Site` is correct for domains with trailing dots.

`example.com` != `example.com.`. These are clearly distinct origins,
and we don't currently consider them to have the same registrable
domain (though there's a bit of a question about that. See
publicsuffix/list#792), so they ought
to compare as `cross-site`

This patch adds a test for this behavior, and teaches the test harness
to resolve domains that end in `.test.`.

Closes w3c/webappsec-fetch-metadata#15.

Bug: 843478
Change-Id: Ic71afeda69f274c23c19608177756d882307a59d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1536180
Commit-Queue: Mike West <[email protected]>
Reviewed-by: Łukasz Anforowicz <[email protected]>
Cr-Commit-Position: refs/heads/master@{#644261}

--

wpt-commits: 22be9a97638436380f88d871ecefac3f1aebfe53
wpt-pr: 16036
mykmelez pushed a commit to mykmelez/gecko that referenced this issue Apr 25, 2019
@mikewest @jgraham
Bug 1539632 [wpt PR 16036] - Verify Sec-Fetch-Site is correct for d…
21c6ea5 
…omains with trailing dots., a=testonly

Automatic update from web-platform-tests
Verify `Sec-Fetch-Site` is correct for domains with trailing dots.

`example.com` != `example.com.`. These are clearly distinct origins,
and we don't currently consider them to have the same registrable
domain (though there's a bit of a question about that. See
publicsuffix/list#792), so they ought
to compare as `cross-site`

This patch adds a test for this behavior, and teaches the test harness
to resolve domains that end in `.test.`.

Closes w3c/webappsec-fetch-metadata#15.

Bug: 843478
Change-Id: Ic71afeda69f274c23c19608177756d882307a59d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1536180
Commit-Queue: Mike West <[email protected]>
Reviewed-by: Łukasz Anforowicz <[email protected]>
Cr-Commit-Position: refs/heads/master@{#644261}

--

wpt-commits: 22be9a97638436380f88d871ecefac3f1aebfe53
wpt-pr: 16036
marcoscaceres pushed a commit to web-platform-tests/wpt that referenced this issue Jul 23, 2019
@mikewest
Verify Sec-Fetch-Site is correct for domains with trailing dots.
f06255b 
`example.com` != `example.com.`. These are clearly distinct origins,
and we don't currently consider them to have the same registrable
domain (though there's a bit of a question about that. See
publicsuffix/list#792), so they ought
to compare as `cross-site`

This patch adds a test for this behavior, and teaches the test harness
to resolve domains that end in `.test.`.

Closes w3c/webappsec-fetch-metadata#15.

Bug: 843478
Change-Id: Ic71afeda69f274c23c19608177756d882307a59d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1536180
Commit-Queue: Mike West <[email protected]>
Reviewed-by: Łukasz Anforowicz <[email protected]>
Cr-Commit-Position: refs/heads/master@{#644261}
gecko-dev-updater pushed a commit to marco-c/gecko-dev-comments-removed that referenced this issue Oct 4, 2019
@marco-c
Bug 1539632 [wpt PR 16036] - Verify Sec-Fetch-Site is correct for d…
208746e 
…omains with trailing dots., a=testonly

Automatic update from web-platform-tests
Verify `Sec-Fetch-Site` is correct for domains with trailing dots.

`example.com` != `example.com.`. These are clearly distinct origins,
and we don't currently consider them to have the same registrable
domain (though there's a bit of a question about that. See
publicsuffix/list#792), so they ought
to compare as `cross-site`

This patch adds a test for this behavior, and teaches the test harness
to resolve domains that end in `.test.`.

Closes w3c/webappsec-fetch-metadata#15.

Bug: 843478
Change-Id: Ic71afeda69f274c23c19608177756d882307a59d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1536180
Commit-Queue: Mike West <mkwstchromium.org>
Reviewed-by: Łukasz Anforowicz <lukaszachromium.org>
Cr-Commit-Position: refs/heads/master{#644261}

--

wpt-commits: 22be9a97638436380f88d871ecefac3f1aebfe53
wpt-pr: 16036

UltraBlame original commit: 0a934b7e89ef947c2709720d115a98691dcb4add
gecko-dev-updater pushed a commit to marco-c/gecko-dev-comments-removed that referenced this issue Oct 4, 2019
@marco-c
Bug 1539632 [wpt PR 16036] - Verify Sec-Fetch-Site is correct for d…
f68dc2f 
…omains with trailing dots., a=testonly

Automatic update from web-platform-tests
Verify `Sec-Fetch-Site` is correct for domains with trailing dots.

`example.com` != `example.com.`. These are clearly distinct origins,
and we don't currently consider them to have the same registrable
domain (though there's a bit of a question about that. See
publicsuffix/list#792), so they ought
to compare as `cross-site`

This patch adds a test for this behavior, and teaches the test harness
to resolve domains that end in `.test.`.

Closes w3c/webappsec-fetch-metadata#15.

Bug: 843478
Change-Id: Ic71afeda69f274c23c19608177756d882307a59d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1536180
Commit-Queue: Mike West <mkwstchromium.org>
Reviewed-by: Łukasz Anforowicz <lukaszachromium.org>
Cr-Commit-Position: refs/heads/master{#644261}

--

wpt-commits: 22be9a97638436380f88d871ecefac3f1aebfe53
wpt-pr: 16036

UltraBlame original commit: 6ca0a07819aec89c6c7b5bee689fc559ff504b8d
gecko-dev-updater pushed a commit to marco-c/gecko-dev-wordified that referenced this issue Oct 4, 2019
@marco-c
Bug 1539632 [wpt PR 16036] - Verify Sec-Fetch-Site is correct for d…
aba7f32 
…omains with trailing dots., a=testonly

Automatic update from web-platform-tests
Verify `Sec-Fetch-Site` is correct for domains with trailing dots.

`example.com` != `example.com.`. These are clearly distinct origins,
and we don't currently consider them to have the same registrable
domain (though there's a bit of a question about that. See
publicsuffix/list#792), so they ought
to compare as `cross-site`

This patch adds a test for this behavior, and teaches the test harness
to resolve domains that end in `.test.`.

Closes w3c/webappsec-fetch-metadata#15.

Bug: 843478
Change-Id: Ic71afeda69f274c23c19608177756d882307a59d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1536180
Commit-Queue: Mike West <mkwstchromium.org>
Reviewed-by: Łukasz Anforowicz <lukaszachromium.org>
Cr-Commit-Position: refs/heads/master{#644261}

--

wpt-commits: 22be9a97638436380f88d871ecefac3f1aebfe53
wpt-pr: 16036

UltraBlame original commit: 0a934b7e89ef947c2709720d115a98691dcb4add
gecko-dev-updater pushed a commit to marco-c/gecko-dev-wordified that referenced this issue Oct 4, 2019
@marco-c
Bug 1539632 [wpt PR 16036] - Verify Sec-Fetch-Site is correct for d…
03a506e 
…omains with trailing dots., a=testonly

Automatic update from web-platform-tests
Verify `Sec-Fetch-Site` is correct for domains with trailing dots.

`example.com` != `example.com.`. These are clearly distinct origins,
and we don't currently consider them to have the same registrable
domain (though there's a bit of a question about that. See
publicsuffix/list#792), so they ought
to compare as `cross-site`

This patch adds a test for this behavior, and teaches the test harness
to resolve domains that end in `.test.`.

Closes w3c/webappsec-fetch-metadata#15.

Bug: 843478
Change-Id: Ic71afeda69f274c23c19608177756d882307a59d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1536180
Commit-Queue: Mike West <mkwstchromium.org>
Reviewed-by: Łukasz Anforowicz <lukaszachromium.org>
Cr-Commit-Position: refs/heads/master{#644261}

--

wpt-commits: 22be9a97638436380f88d871ecefac3f1aebfe53
wpt-pr: 16036

UltraBlame original commit: 6ca0a07819aec89c6c7b5bee689fc559ff504b8d
gecko-dev-updater pushed a commit to marco-c/gecko-dev-wordified-and-comments-removed that referenced this issue Oct 4, 2019
@marco-c
Bug 1539632 [wpt PR 16036] - Verify Sec-Fetch-Site is correct for d…
da9d6cf 
…omains with trailing dots., a=testonly

Automatic update from web-platform-tests
Verify `Sec-Fetch-Site` is correct for domains with trailing dots.

`example.com` != `example.com.`. These are clearly distinct origins,
and we don't currently consider them to have the same registrable
domain (though there's a bit of a question about that. See
publicsuffix/list#792), so they ought
to compare as `cross-site`

This patch adds a test for this behavior, and teaches the test harness
to resolve domains that end in `.test.`.

Closes w3c/webappsec-fetch-metadata#15.

Bug: 843478
Change-Id: Ic71afeda69f274c23c19608177756d882307a59d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1536180
Commit-Queue: Mike West <mkwstchromium.org>
Reviewed-by: Łukasz Anforowicz <lukaszachromium.org>
Cr-Commit-Position: refs/heads/master{#644261}

--

wpt-commits: 22be9a97638436380f88d871ecefac3f1aebfe53
wpt-pr: 16036

UltraBlame original commit: 0a934b7e89ef947c2709720d115a98691dcb4add
gecko-dev-updater pushed a commit to marco-c/gecko-dev-wordified-and-comments-removed that referenced this issue Oct 4, 2019
@marco-c
Bug 1539632 [wpt PR 16036] - Verify Sec-Fetch-Site is correct for d…
8b1b544 
…omains with trailing dots., a=testonly

Automatic update from web-platform-tests
Verify `Sec-Fetch-Site` is correct for domains with trailing dots.

`example.com` != `example.com.`. These are clearly distinct origins,
and we don't currently consider them to have the same registrable
domain (though there's a bit of a question about that. See
publicsuffix/list#792), so they ought
to compare as `cross-site`

This patch adds a test for this behavior, and teaches the test harness
to resolve domains that end in `.test.`.

Closes w3c/webappsec-fetch-metadata#15.

Bug: 843478
Change-Id: Ic71afeda69f274c23c19608177756d882307a59d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1536180
Commit-Queue: Mike West <mkwstchromium.org>
Reviewed-by: Łukasz Anforowicz <lukaszachromium.org>
Cr-Commit-Position: refs/heads/master{#644261}

--

wpt-commits: 22be9a97638436380f88d871ecefac3f1aebfe53
wpt-pr: 16036

UltraBlame original commit: 6ca0a07819aec89c6c7b5bee689fc559ff504b8d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Verify Sec-Fetch-Site is correct for domains with trailing dots. web-platform-tests/wpt
2 participants
@mikewest @anforowicz