Cookies / WebAuthn

[annevk]

I'm not entirely sure what this would look like, but I'd like it to be considered to some extent. Should this affect (or have a mode that affects) all things that go across the origin boundary?

[domenic]

Interesting. This seems vaguely related to this doc I just saw on the Chromium Storage Isolation project, i.e. "double key all the things". In particular the doc says

The NIK will initially consist of first party scheme and eTLD+1 and scheme and eTLD+1 of the innermost frame associated with a browsing context. We hope to be able to switch this to origin in the future.

and maybe this sort of mechanism would be a way to opt in to that. Although I guess the hope is that we could do so without an opt-in, eventually.

I think you're probably proposing something a bit different though, which is for even top-level pages with only one context involved, a way to origin-scope your storage instead of site-scope it.

Are there any web properties that would be interested in this sort of thing? I guess in the future it could allow new hosting services (glitch, github pages, etc.) to spring up without relying on the public suffix list, which would be neato.

/cc @sleevi @MattMenke2

[domenic]

I found https://wicg.github.io/isolation/explainer.html, a 2016 document by @estark37
@mikewest, and @metromoxie, that covers similar areas. (And was posted to WICG under the name "origin isolation", heh.) I think the README definitely needs some updates to discuss these related issues, and potential areas for future expansion, although I do believe that narrowly focusing on the agent cluster scoping for "v1" is a good path.

I'll try to work on such a PR.