Incubation: An `Origin` Object

[mikewest]

Explainer

https://github.com/mikewest/origin-api/

The explainer

• Includes the information requested by the Explainer Explainer.
• Follows the Web Platform Design Principles.
• Includes or links to answers to the Security/Privacy Questionnaire.
• Describes user research you did to validate the problem and/or design.

Where and by whom is the work is being done?

• GitHub repo: https://github.com/mikewest/origin-api/
• Primary contacts:
  • @mikewest, Google, Chrome
• Organization/project driving the design: Chrome.
• This work is being funded by: Google.
• Incubation and standards groups that have discussed the design:
  • Nada.
• Standards group(s) that you expect to discuss and/or adopt this work when it's
  ready: HTML @ WHATWG

Feedback so far

• Multi-stakeholder feedback:
  • Chromium comments: I like it. @domenic didn't hate it.
  • Mozilla comments: An Origin Object mozilla/standards-positions#1280
  • WebKit comments: An Origin Object WebKit/standards-positions#538
  • Some conversation around Consider some more narrow _origin_ matching mechanism? whatwg/urlpattern#275
• Major unresolved issues with or opposition to this design:
  • @annevk noted in the URLPattern thread linked directly above that the specific case of postMessage() validation could be satisfied with a narrower matching API that encouraged developers to think about more than the origin, which is a reasonable suggestion.

You should also know that...

• There's some relationship to @annevk's Expose a URLHost class to JavaScript whatwg/url#288, though I think that aims to solve a distinct problem.

• This would be, I think, the first place we'd directly expose the "same-site" concept in a way that enabled comparison.

• This proposal derives a "site" from an origin (a la HTML's "obtain a site" and "same site" definitions), and exposes it as a property of that concept. It could also be reasonable to expose it through the aforementioned URLHost proposal, or more directly on a URL. IMO, none of those are mutually exclusive, and I can see reasonable arguments for several of them (URLHost, for instance, seems particularly well-suited to explain the "schemelessly same site" concept,

---

Track conversations at https://tag-github-bot.w3.org/gh/w3ctag/design-reviews/1130