Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Treat http://foo.com -> https://foo.com requests as Sec-Fetch-Site: cross-site. #34

Closed
anforowicz opened this issue Jun 28, 2019 · 4 comments
Closed

Treat http://foo.com -> https://foo.com requests as Sec-Fetch-Site: cross-site. #34

anforowicz opened this issue Jun 28, 2019 · 4 comments

Comments

@anforowicz
Copy link

This is a follow-up for https://crbug.com/979257. Could you please update the spec to change how it determines whether to use the cross-site value for the Sec-Fetch-Site header? Currently the spec only says:

If r’s origin's registrable domain is not the same as url’s registrable domain, set header’s value to cross-site and break.

I think it also needs to consider schemes.
@mikewest
Copy link
Member

mikewest commented Sep 3, 2019

Chrome's made this change, and it seems quite reasonable to me. I'll update the spec.

In fact, I wonder if we can/should change this more generally for URL's "same site" definition, as it's something we run into in ~all the "same-site" checks we're introducing these days.

In fact, SameSite cookies might be the only place where we're not doing this kind of check. We made that decision because we wanted people to be able to upgrade their sites to HTTPS piecemeal, starting with their authentication systems, then spreading throughout the site. Perhaps we've reached enough of an inflection point with that migration that we can tighten the restriction generally.

WDYT, @annevk?

mikewest added a commit that referenced this issue Sep 3, 2019
@mikewest
Scheme mismatch => cross-site.
4316583 
Addresses #34
@annevk
Copy link
Member

annevk commented Sep 4, 2019

I'm supportive. We could have schemeless same site or some such for the variant that only takes hosts. https://fetch.spec.whatwg.org/#cross-origin-resource-policy-check also needs schemeless btw, even though it ends up checking the scheme a bit.

@mikewest mikewest mentioned this issue Sep 11, 2019
Closed
@mikewest
Copy link
Member

Closing this out, as it's fixed in 4316583.

Moving the broader discussion to whatwg/url#448.

@annevk
Copy link
Member

annevk commented Sep 11, 2019

I filed #41 as a follow-up.

@aszx87410 aszx87410 mentioned this issue Jan 20, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mikewest @annevk @anforowicz