The intervention allows scripts hosted on sub domains (e.g. js.example.com inserted via doc.write on www.example.com).
We should update the warning to say "cross site (i.e. different eTLD+1)" instead of "cross origin".
Context: https://github.com/WICG/interventions/issues/17#issuecomment-255914571
Surfacing into the launch bug but marking as P3 because this is a hint for developers: it would be nice to merge if we can but having it in canary/dev would be a decent state.
As I commented on the intent to implement, can we make the use of this terminology mean the same thing across Chromium?
Currently, the intervention only takes into account etld + 1, which does not match the term "cross site" as used elsewhere in Chromium (which is etld + 1 *and* scheme).
I assume that etld+1 and scheme is what "cross-site" means in spec land.
So, +1 to align on the same definition.
Would it be possible to record a UMA for the following:
- Same-site mitigation:
bucket for (same etld+1, any scheme)
bucket for (same etld+1, same scheme)
I'm hoping that (same etld+1, same scheme) isn't significantly different from what we've currently implemented.
Since http script from an https document is not allowed, the only scenario we are left with, is loading an https script from an http document with the same etld+1.
There could be arguments to go either way: being consistent with the spec and blocking such a script or not to block it because the reason we decided to not block such scripts is to reduce breakage.
Bryan and I discussed it and think that the first step could be to add a counter
to count the number of pages which have script(s) that are not blocked because of same etld+1 (but have different scheme). If the number is really low we could switch the logic to be consistent with the spec. If the number is high, on the other hand, we might want to stay with the current logic.
Your change meets the bar and is auto-approved for M57. Please go ahead and merge the CL to branch 2987 manually. Please contact milestone owner if you have questions.
Owners: amineer@(clank), cmasso@(bling), ketakid@(cros), govind@(desktop)
For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Comment 1 by shivanisha@chromium.org
, Nov 3 2016