Difference between revisions of "Browser Origin Policy"

Revision as of 16:16, 26 May 2022

Browser Origin Policies are used to determine which data and control flows are allowed based on the URL of the page.

Origin Policies were initiated to prevent tracking of users from one site to another.

Cookies stored on the user browser space are the typical means of moving data from one website to another, typically using Cross-Origin iFrames.
Note that prior to 2022 javascript could read any cookie.
Schemeful Same-Site overcomes a limitation on SemeSite Cookie not looking at the scheme. Explainer is at https://github.com/sbingler/schemeful-same-site
Origin-Bound Cookies Explainer https://github.com/sbingler/Origin-Bound-Cookies
- In 2022 over 95% of traffic is over HTTPS, which highlights some problems with cookies as they’re one of the few web platform components that do not respect the origin of their connection:
- Binds cookies to their setting origin (by default) such that they're only accessible by that origin. I.e., sent on a request or visible through `document.cookie`
- Link to entry on the Chrome Platform Status https://chromestatus.com/feature/4945698250293248
- To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra8xjbL9kh3pV9u7YfXm0t4NzrUANr-tu1g23sdmQrU1zA%40mail.gmail.com.

@@ Line 6: / Line 6: @@
 ==Cookies==
 * Cookies stored on the user browser space are the typical means of moving data from one website to another, typically using [[Cross-Origin iFrame]]s.
+* Note that prior to 2022 javascript could read any cookie.
 * Schemeful Same-Site overcomes a limitation on [https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-05#section-8.8 SemeSite Cookie] not looking at the scheme. Explainer is at https://github.com/sbingler/schemeful-same-site
 * Origin-Bound Cookies Explainer https://github.com/sbingler/Origin-Bound-Cookies