Suborigins

[lidel]

Suborigins are WIP standard that – if implemented by browser vendors – could provide a way to isolate CID-specific paths into their own Origins.

It is an alternative way to solve the Problem of Inability to Control How Origin Is Calculated in Web Browsers (other one being CID-in-subdomain and programmable protocol handler API).

This is a meta-issue to track related work and provide a quick context for newcomers

References

• W3C Suborigins Working Group Repo: https://github.com/w3c/webappsec-suborigins
  • Editor's draft: https://w3c.github.io/webappsec-suborigins/
• ipfs/specs: Feedback for the Suborigin working group
• ipfs/go-ipfs: Ongoing discussion about suborigin header format and gateway
• Support in Web Browsers
  • Firefox
    • https://bugzilla.mozilla.org/show_bug.cgi?id=1231225
    • https://bugzilla.mozilla.org/show_bug.cgi?id=1391251
  • Chromium
    • https://bugs.chromium.org/p/chromium/issues/detail?id=555117
    • https://bugs.chromium.org/p/chromium/issues/detail?id=580320

Notable Events

• 2014-11 public standards discussion announced @ lists.w3.org
• 2015-01 ipfs/go-ipfs Implement per-page suborigins in the gateway
• 2016-09 w3c/webappsec-suborigins: not allowed to start with number/can only start with letters
• 2016-12 ipfs/go-ipfs: gateway: disable Suborigins as it conflicts the spec
• 2017-09 Suborigins mozilla/standards-positions#31 (opened with a note about outstanding issues)
• 2019-11 Suborigins mozilla/standards-positions#31 (comment) (closed due to no work)
• ❓

[lidel]

As noted in ipfs/kubo#3209 (comment) Suborigin value must start with alpha:

LOWERALPHA *( LOWERALPHA / DIGIT )

Revisiting this in context of move to CIDv1 Base32 (https://github.com/ipfs/ipfs/issues/337) we probably should aim at normalizing to cidv1b32:

• Location: https://ipfs.io/ipfs/bafkreigh2akiscaildcqabsyg3dfr6chu3fgpregiymsck7e7aqa4s52zy
• Prefix (ensures LOWERALPHA requirement is fulfilled): ipfs000
• Suborigin: ipfs000bafkreigh2akiscaildcqabsyg3dfr6chu3fgpregiymsck7e7aqa4s52zy

This is only for /ipfs/, as we don't have case-insensitive solution for /ipns/ yet (ipfs/kubo#5287).

[lidel]

I believe it is time to close this to indicate that due to the lack of adoption (mozilla/standards-positions#31 (comment)) it is no longer a viable option for solving Origin isolation problem.

Shifting focus to CID in Subdomains, which work today across all vendors: #89