Desktop PWAs: Origin should be ETLD+1 |
|||
Issue descriptionChrome Version: 69 OS: Chrome We currently show the full origin in the title bar [1], but I think we should instead be showing the ETLD+1, since we are trying to standardize the notion of identity around that. I will confirm with Security. [1] https://cs.chromium.org/chromium/src/chrome/browser/ui/extensions/hosted_app_browser_controller.cc?q=HostedAppBrowserController::FormatUrlOrigin
,
Jun 26 2018
,
Jun 26 2018
Ah OK, interesting. So it *was* ETLD+1 but r542763 (which added the animation) changed to origin, which was by agreement at the time (see Issue 809794 ). Looks like Dom has completed an effort to standardize on origin (per Issue 799835 ) so we should stick with it, or change all of these surfaces to ETLD+1.
,
Jun 28 2018
We updated the enamel Guidelines for URL display to standardize on origin: https://docs.google.com/document/d/1a4aamAaknVXtDkNePPg0ikeAKsJKdWGBND7fFuliChA/edit# When the primary purpose of displaying a URL is to have the user make a security decision, display the origin. Omit the path, query string, fragment, and any other components of the URL because they provide opportunities for spoofing. Do not display the scheme if it will always be https://. If the scheme is not https://, prefer to show a security indicator icon (dangerous triangle icon + “Not Secure” string on http://) rather than the scheme itself. We remove subdomains “www” and “m” as a special case to simplify the origin (except when they are part of the registrable domain). If in a space-constrained environment, it's acceptable to use registrable domain instead of the full origin.
,
Jun 29 2018
WontFixing as per #4, though this may be changed in future based on updated advice. :) |
|||
►
Sign in to add a comment |
|||
Comment 1 by dominickn@chromium.org
, Jun 26 2018