Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change Origin-Agent-Cluster HTTP header default #7617

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Change Origin-Agent-Cluster HTTP header default #7617

wants to merge 2 commits into from

Conversation

otherdaniel
Copy link
Contributor

@otherdaniel otherdaniel commented Feb 14, 2022
edited by pr-preview bot
Loading

This changes the default behaviour for the Origin-Agent-Cluster header
from false to true. That is, an absent header was equivalent to false
(?0) and is now equivalent to true (?1).

WPT test: web-platform-tests/wpt#32819

Implementer interest:

/acknowledgements.html ( diff )
/browsing-the-web.html ( diff )
/origin.html ( diff )
/webappapis.html ( diff )

@otherdaniel
Change Origin-Agent-Cluster http headeir default
09a96ed 
This changes the default behaviour for the Origin-Agent-Cluster header
from false to true. That is, an absent header was equivalent to false
(`?0`) and is now equivalent to true (`?1`).
@annevk annevk added the do not merge yet Pull request must not be merged per rationale in comment label Feb 15, 2022
annevk
annevk approved these changes Feb 15, 2022
View reviewed changes
Copy link
Member

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! You'll need to make your membership of the googlers GitHub organization public.

I suggest we merge this after it has successfully shipped and stuck for a month or so.

@domenic
Copy link
Member

domenic commented Feb 15, 2022

I think we need more updates, mostly to the non-normative introductory text. E.g. https://whatpr.org/html/7617/origin.html#origin-keyed-agent-clusters says

A Document delivered over a secure context can request that it be placed in an origin-keyed agent cluster, by using the Origin-Agent-Cluster HTTP response header.

but it should probably say something like "By default, a Document is in an origin-keyed agent cluster. The Origin-Agent-Cluster header can be used to opt out of this behavior and become site-keyed."

Similarly, with the paragraph starting "The consequences of using this header are that the resulting Document's agent cluster key is its origin..."

@annevk
Copy link
Member

annevk commented Feb 15, 2022

That's a good point. We also want to move/adjust this document.domain warning to instead cover this feature:

Avoid using the document.domain setter. It undermines the security protections provided by the same-origin policy. This is especially acute when using shared hosting; for example, if an untrusted third party is able to host an HTTP server at the same IP address but on a different port, then the same-origin protection that normally protects two different sites on the same host will fail, as the ports are ignored when comparing origins after the document.domain setter has been used.

Because of these security pitfalls, this feature is in the process of being removed from the web platform. (This is a long process that takes many years.)

Instead, use postMessage() or MessageChannel objects to communicate across origins in a safe manner.

Minor adjustments in "Integration with the JavaScript agent formalism" might be welcome as well, although I think the existing text could work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@annevk annevk annevk approved these changes

Assignees
No one assigned
Labels
do not merge yet Pull request must not be merged per rationale in comment
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@otherdaniel @domenic @annevk