Difference between revisions of "Browser Origin Policy"

Revision as of 15:59, 26 May 2022

Browser Origin Policies are used to determine which data and control flows are allowed based on the URL of the page.

Origin Policies were initiated to prevent tracking of users from one site to another.
Origin and site are confused in many documents. An attempt at a taxonomy explaining the differences can be seen at the wiki page Cross-Origin iFrame.

Cookies stored on the user browser space are the typical means of moving data from one website to another, typically using Cross-Origin iFrames.
Note that prior to 2022 javascript could read any cookie.
Schemeful Same-Site overcomes a limitation on SemeSite Cookie not looking at the scheme. Explainer is at https://github.com/sbingler/schemeful-same-site
Origin-Bound Cookies Explainer https://github.com/sbingler/Origin-Bound-Cookies
- In 2022 over 95% of traffic is over HTTPS, which highlights some problems with cookies as they’re one of the few web platform components that do not respect the origin of their connection:
- Binds cookies to their setting origin (by default) such that they're only accessible by that origin. I.e., sent on a request or visible through `document.cookie`
- Link to entry on the Chrome Platform Status https://chromestatus.com/feature/4945698250293248
- To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra8xjbL9kh3pV9u7YfXm0t4NzrUANr-tu1g23sdmQrU1zA%40mail.gmail.com.

@@ Line 4: / Line 4: @@
 ==Context==
 * Origin Policies were initiated to prevent tracking of users from one site to another.
+* Origin and site are confused in many documents.  An attempt at a taxonomy explaining the differences can be seen at the wiki page [[Cross-Origin iFrame]].
 ==Cookies==
 * Cookies stored on the user browser space are the typical means of moving data from one website to another, typically using [[Cross-Origin iFrame]]s.