Assert same-origin for registration matching #1138
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This patch adds an assertion in the Match Service Worker Registration that the given URL and the matched URL are the same origin. This also adds a note that the URL serializer serializes the URLs with a trailing slash at the end of the origin part of the URLs. Fixes #1118.
|
@annevk, could you review? |
annevk
approved these changes
May 12, 2017
docs/index.bs
Outdated
| @@ -3345,10 +3345,12 @@ spec: webappsec-referrer-policy; urlPrefix: https://w3c.github.io/webappsec-refe | |||
| 1. Let |scopeStringSet| be the result of [=map/get the keys|getting the keys=] from <a>scope to registration map</a>. | |||
| 1. Set |matchingScopeString| to the longest value in |scopeStringSet| which the value of |clientURLString| starts with, if it exists. | |||
|
|
|||
| Note: The URL string matching in this step is prefix-based rather than path-structural (e.g. a client URL string with "/prefix-of/resource.html" will match a registration for a scope with "/prefix"). | |||
| Note: The URL string matching in this step is prefix-based rather than path-structural. E.g. a client URL string with "https://example.com/prefix-of/resource.html" will match a registration for a scope with "https://example.com/prefix". The URL string comparison is safe for the same-origin security as the URLs are serialized with a trailing slash at the end of the origin part of the URLs. | |||
There was a problem hiding this comment.
as HTTP(S) URLs are always serialized*
docs/index.bs
Outdated
| 1. If |matchingScopeString| is not the empty string, set |matchingScope| to the result of <a lt="URL parser">parsing</a> |matchingScopeString|. | ||
| 1. If |matchingScopeString| is not the empty string, then: | ||
| 1. Set |matchingScope| to the result of <a lt="URL parser">parsing</a> |matchingScopeString|. | ||
| 1. Assert: |matchingScope|'s [=url/origin=] and |clientURL|'s [=url/origin=] are the [=same origin=]. |
|
@annevk, thanks for reviewing! |
|
So I didn't mean that you should remove the end of the sentence... The bit about slashes and origins was still useful. |
|
I don't think the sentence makes much sense as-is. |
|
Oh.. so you meant something like the following?
|
|
Yeah, that looks better. |
|
(For next time, ask for review again. Happy to do it.) |
|
Okay. Will do. Thanks! |
|
Addressed: 46b5d67. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch adds an assertion in the Match Service Worker Registration
that the given URL and the matched URL are the same origin. This also
adds a note that the URL serializer serializes the URLs with a trailing
slash at the end of the origin part of the URLs.
Fixes #1118.