Same “origin”: same scheme, host, and port
https://example.com/foo + https://example.com/bar
https://example.com/ + https://sub.example.com/
-
-
Show this thread
-
Same “site”: same registrable domain
requires a lookup in https://publicsuffix.org/list/
https://foo.example.com/ + https://bar.example.com/
https://foo.github.io/ + https://bar.github.io/Show this thread -
Specs: - same origin: https://html.spec.whatwg.org/multipage/origin.html#same-origin … - same site: https://url.spec.whatwg.org/#host-same-site
Show this thread
End of conversation
New conversation -
-
-
It’s 1 in the morning. I look forward to disagreeing with you both later today. :) I’d also welcome bikeshedding, though I’d note that several browsers are now shipping SameSite with similar semantics…
-
(sleep well :)
- 2 more replies
New conversation -
-
-
Why? Is WHATWG trying to spec out some kind of same-site-policy?
-
Some APIs were already limited to same-site, this is just finally specifying what exactly same-site means AFAIK.
- 2 more replies
New conversation -
-
-
Crediting me is somewhat disingenuous, since
@annevk worked with me on the patch. -
That’s not going to confuse ANYbody. Why not “domain”? Still not precise, but a lot closer.
- 7 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
JavaScript, HTML, CSS, HTTP, performance, security, Bash, Unicode, i18n, macOS.