w3c · arichiv · Aug 17, 2022 · Aug 29, 2022 · Aug 29, 2022 · Aug 29, 2022
diff --git a/index.bs b/index.bs
@@ -13,7 +13,6 @@ Markup Shorthands: css no, markdown yes
 </pre>
 <pre class="link-defaults">
 spec:dom; type:interface; for:/; text:Document
-spec:html; type:dfn; for:/; text:origin
 spec:fetch; type:dfn; for:Response; text:response
 spec:html; type:dfn; for:/; text:browsing context
 spec:html; type:element; text:script
@@ -129,6 +128,27 @@ spec: HEADER-STRUCTURE; urlPrefix: https://httpwg.org/http-extensions/draft-ietf
     those frames hosting content from http://example.com or SecureCorp itself
     will actually be granted the ability to use that API.</p>
   </div>
+  <div class="example">
+    <p>SecureCorp Inc. restructured its domains and now needs to needs to delegate
+    use of the Geolocation API to its origin ("<code>https://example.com</code>")
+    as well as three subdomains ("<code>https://geo.example.com</code>",
+    "<code>https://geo2.example.com</code>", and "<code>https://new.geo2.example.com</code>").
+    This needs to be accomplished while still disabling the use of the Geolocation API
+    within all other browsing contexts. It can do this by delivering the following HTTP response header:</p>
+    <pre>
+      <a http-header>Permissions-Policy</a>: geolocation=(self "https://example.com" "https://geo.example.com" "https://geo2.example.com" "https://new.geo2.example.com")
+    </pre>
+    <p>This works, but if SecureCorp Inc. feels safe delegating to any subdomains on
+    "<code>https://example.com</code>" the HTTP response header could instead be:</p>
+    <pre>
+      <a http-header>Permissions-Policy</a>: geolocation=(self "https://example.com" "https://*.example.com")
+    </pre>
+    <p>Not only would the above header permit "<code>https://geo.example.com</code>",
+    "<code>https://geo2.example.com</code>", and "<code>https://new.geo2.example.com</code>"
+    to use the Geolocation API, but any other subdomains of "<code>https://example.com</code>"
+    could use it too. Note that "<code>https://example.com</code>" is not covered by the 
+    <a>allowlist</a> entry "<code>https://*.example.com</code>" and must also be added.</p>
+  </div>
 </section>
 <section>
   <h2 id="other-and-related-mechanisms">Other and related mechanisms</h2>
@@ -297,8 +317,28 @@ spec: HEADER-STRUCTURE; urlPrefix: https://httpwg.org/http-extensions/draft-ietf
       then return true.</li>
       <li>Otherwise, for each <var>item</var> in the <a>allowlist</a>:
         <ol>
-          <li>If <var>item</var> is [=same origin-domain=] with
-          <var>origin</var>, then return true.</li>
+          <li>If <var>item</var> is a <a>serialized-origin</a> that's [=same origin-domain=] 
+          with <var>origin</var>, then return true.</li>
+          <li>Else if <var>item</var> is a <a>serialized-origin-with-wildcard-subdomain</a>
+          then:</li>
+          <ol>
+            <li>If the <var>tuple origin</var> has a <a>host</a> with a null <a>registrable domain</a>
+            return false.<li>
+            <li>Set <var>originWithoutWildcard</var> to be equal to <var>item</var> with the sequence
+            of <a>code points</a> "*." removed at the start of the <a>host</a>.</li>
+            <li>If <var>originWithoutWildcard</var> is [=same origin-domain=] </li> with
+            <var>origin</var>, then return false.</li>
+            <li>Set <var>originCandidate</var> to be equal to <var>origin</var> with the sequence
+            of <a>code points</a> in the <a>host</a> from the start up to and including the first "." removed.</li>
+            <li>While <var>originCandidate</var> has a <a>host</a> with a non-nill <a>registrable domain</a>:</li>
+            <ol>
+              <li>If <var>originWithoutWildcard</var> is [=same origin-domain=] </li> with
+              <var>originCandidate</var>, then return true.</li>
+              <li>Set <var>originCandidate</var> to be equal to <var>originCandidate</var> with the sequence
+              of <a>code points</a> in the <a>host</a> from the start up to and including the first "." removed.</li>
+            </ol>
+            <li>return false.</li>
+          </ol>
         </ol>
       </li>
       <li>return false.</li>
@@ -338,13 +378,16 @@ spec: HEADER-STRUCTURE; urlPrefix: https://httpwg.org/http-extensions/draft-ietf
       <dfn>serialized-policy-directive</dfn> = <a>feature-identifier</a> RWS <a>allow-list</a>
       <dfn>feature-identifier</dfn> = 1*( ALPHA / DIGIT / "-")
       <dfn>allow-list</dfn> = <a>allow-list-value</a> *(RWS <a>allow-list-value</a>)
-      <dfn>allow-list-value</dfn> = <a>serialized-origin</a> / "*" / "'self'" / "'src'" / "'none'"
+      <dfn>allow-list-value</dfn> = <a>serialized-origin</a> / <a>serialized-origin-with-wildcard-subdomain</a> / "*" / "'self'" / "'src'" / "'none'"
     </pre>
     <p><dfn><code>serialized-origin</code></dfn> is the
     <a>serialization of an origin</a>. However, the code points U+0027 ('),
     U+0021 (*), U+002C (,) and U+003B (;) MUST NOT appear in the serialization.
     If they are required, they must be percent-encoded as "`%27`", "`%2A`",
     "`%2C`" or "`%3B`", respectively.</p>
+    <p><dfn><code>serialized-origin-with-wildcard-subdomain</code></dfn> is a serialization of a
+    <a>tuple origin</a> whose <a>tuple</a>'s <a>host</a> is a <a>domain</a>, has a non-null
+    <a>registrable domain</a>, and is <a>prefixed</a> by the string "*.".</p>
     <div class="note">
       The string "<code>'self'</code>" may be used as an origin in an allowlist.
       When it is used in this way, it will refer to the origin of the document