Define (schemelessly) same site for origins

Helps with whatwg/url#448.
whatwg · Nov 19, 2019 · d014949 · d014949
1 parent 37af7d9
commit d014949
Showing 1 changed file with 104 additions and 1 deletion.
diff --git a/source b/source
@@ -2638,7 +2638,6 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
     <ul class="brief">
      <li><dfn data-x="concept-host" data-x-href="https://url.spec.whatwg.org/#concept-host">host</dfn></li>
      <li><dfn data-x-href="https://url.spec.whatwg.org/#host-public-suffix">public suffix</dfn></li>
-     <li><dfn data-x-href="https://url.spec.whatwg.org/#host-same-site">same site</dfn></li>
      <li><dfn data-x="concept-domain" data-x-href="https://url.spec.whatwg.org/#concept-domain">domain</dfn></li>
      <li><dfn data-x-href="https://url.spec.whatwg.org/#concept-ipv4">IPv4 address</dfn></li>
      <li><dfn data-x-href="https://url.spec.whatwg.org/#concept-ipv6">IPv6 address</dfn></li>
@@ -81277,6 +81276,110 @@ interface <dfn>BarProp</dfn> {
    </table>
   </div>
 
+  <p>Two <span data-x="origin">origins</span>, <var>A</var> and <var>B</var>, are said to be <dfn
+  data-export="">schemelessly same site</dfn> if the following algorithm returns true:</p>
+
+  <ol>
+   <li><p>If <var>A</var> and <var>B</var> are the same <span data-x="concept-origin-opaque">opaque
+   origin</span>, then return true.</p></li>
+
+   <li>
+    <p>If <var>A</var> and <var>B</var> are both <span data-x="concept-origin-tuple">tuple
+    origins</span>, then:</p>
+
+    <ol>
+     <li><p>Let <var>hostA</var> be <var>A</var>'s <span
+     data-x="concept-origin-host">host</span>, and let <var>hostB</var> be <var>B</var>'s <span
+     data-x="concept-origin-host">host</span>.</p></li>
+
+     <li><p>If <var>hostA</var> <span data-x="host equals">equal</span> <var>hostB</var>, and
+     <var>hostA</var>'s <span>registrable domain</span> is non-null, then return true.</p></li>
+
+     <li><p>If <var>hostA</var>'s <span>registrable domain</span> equals <var>hostB</var>'s
+     <span>registrable domain</span> and is non-null, then return true.</p></li>
+    </ol>
+   </li>
+
+   <li><p>Return false.</p></li>
+  </ol>
+
+  <p>Two <span data-x="origin">origins</span>, <var>A</var> and <var>B</var>, are said to be <dfn
+  data-export="">same site</dfn> if both of the following statements are true:</p>
+
+  <ul>
+   <li><p><var>A</var> and <var>B</var> are <span>schemelessly same site</span></p></li>
+
+   <li><p><var>A</var> and <var>B</var> are either both <span data-x="concept-origin-opaque">opaque
+   origins</span>, or both <span data-x="concept-origin-tuple">tuple origins</span> with the same
+   <span data-x="concept-origin-scheme">scheme</span></p></li>
+  </ul>
+
+  <p class="note">Unlike the <span>same origin</span> and <span>same origin-domain</span> concepts,
+  for <span>schemelessly same site</span> and <span>same site</span>, the <span
+  data-x="concept-origin-port">port</span> and <span data-x="concept-origin-domain">domain</span>
+  components are ignored.</p>
+
+  <p class="warning">For the reasons <a
+  href="https://url.spec.whatwg.org/#warning-avoid-psl">explained in <cite>URL</cite></a>, the
+  <span>same site</span> and <span>schemelessly same site</span> concepts should be avoided when
+  possible, in favor of <span>same origin</span> checks.</p>
+
+  <div class="example" id="example-same-site">
+   <p>Assuming that <code data-x="">suffix.example</code> is a <span>public suffix</span> and that
+   <code data-x="">example.com</code> is not:</p>
+
+   <table>
+    <tr>
+     <th><var>A</var>
+     <th><var>B</var>
+     <th><span>schemelessly same site</span>
+     <th><span>same site</span>
+    <tr>
+     <td>("<code data-x="">https</code>", "<code data-x="">example.com</code>")
+     <td>("<code data-x="">https</code>", "<code data-x="">sub.example.com</code>")
+     <td>✅
+     <td>✅
+    <tr>
+     <td>("<code data-x="">https</code>", "<code data-x="">example.com</code>")
+     <td>("<code data-x="">https</code>", "<code data-x="">sub.other.example.com</code>")
+     <td>✅
+     <td>✅
+    <tr>
+     <td>("<code data-x="">https</code>", "<code data-x="">example.com</code>")
+     <td>("<code data-x="">http</code>", "<code data-x="">non-secure.example.com</code>")
+     <td>✅
+     <td>❌
+    <tr>
+     <td>("<code data-x="">https</code>", "<code data-x="">r.suffix.example</code>")
+     <td>("<code data-x="">https</code>", "<code data-x="">sub.r.suffix.example</code>")
+     <td>✅
+     <td>✅
+    <tr>
+     <td>("<code data-x="">https</code>", "<code data-x="">r.suffix.example</code>")
+     <td>("<code data-x="">https</code>", "<code data-x="">sub.other.r.suffix.example</code>")
+     <td>✅
+     <td>✅
+    <tr>
+     <td>("<code data-x="">https</code>", "<code data-x="">r.suffix.example</code>")
+     <td>("<code data-x="">https</code>", "<code data-x="">other.suffix.example</code>")
+     <td>❌
+     <td>❌
+    <tr>
+     <td>("<code data-x="">https</code>", "<code data-x="">r.suffix.example</code>")
+     <td>("<code data-x="">https</code>", "<code data-x="">suffix.example</code>")
+     <td>❌
+     <td>❌
+    <tr>
+     <td>("<code data-x="">https</code>", "<code data-x="">suffix.example</code>")
+     <td>("<code data-x="">https</code>", "<code data-x="">suffix.example</code>")
+     <td>❌
+     <td>❌
+   </table>
+
+   <p>(Here we have omitted the <span data-x="concept-origin-port">port</span> and <span
+   data-x="concept-origin-domain">domain</span> components since they are not considered.)</p>
+  </div>
+
   </div>