Browser Origin Policy
Full Title or Meme
Browser Origin Policies are used to determine which data and control flows are allowed based on the URL of the page.
- Origin Policies were initiated to prevent tracking of users from one site to another.
- Origin and site are confused in many documents. An attempt at a taxonomy explaining the differences can be seen at the wiki page Cross-Origin iFrame.
- Cookies stored on the user browser space are the typical means of moving data from one website to another, typically using Cross-Origin iFrames.
- Schemeful Same-Site overcomes a limitation on SemeSite Cookie not looking at the scheme. Explainer is at https://github.com/sbingler/schemeful-same-site
- Origin-Bound Cookies Explainer https://github.com/sbingler/Origin-Bound-Cookies
- In 2022 over 95% of traffic is over HTTPS, which highlights some problems with cookies as they’re one of the few web platform components that do not respect the origin of their connection:
- Binds cookies to their setting origin (by default) such that they're only accessible by that origin. I.e., sent on a request or visible through `document.cookie`
- Link to entry on the Chrome Platform Status https://chromestatus.com/feature/4945698250293248
- To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra8xjbL9kh3pV9u7YfXm0t4NzrUANr-tu1g23sdmQrU1zA%40mail.gmail.com.