Description
In the context of #same-origin-domain and how this relate to the browsing context forming a #unit-of-related-similar-origin-browsing-contexts and being able to share an event loop:
I think our current implementation of Constellation.event_loops might be potentially insecure.
The spec mentions [a browsing context that] has an active document with an origin that, through appropriate manipulation of the document.domain attribute, could be made to be same origin-domain with other members of the group[of directly reachable browsing contexts].
I'm reading this as basically implying that not only the host should be equal, but also the scheme.
So perhaps the current HashMap<Host, Weak<EventLoop>> should use a new kind of key and look more like HashMap<SchemeHost, Weak<EventLoop>> where SchemeHost would be a new struct looking something like:
struct SchemeHost {
scheme: str
host: str
}This is perhaps something that only comes into play with auxiliary browsing contexts, and I'm probably going to end up addressing this as part of #20678, yet I thought it was worthwhile discussing it separately...