问题
Why does www.web.dev
and static.web.dev
count as the same site, while your-project.github.io
and my-project.github.io
count as different sites?
There's a part from this page (https://web.dev/samesite-cookies-explained/) that is confusing me:
Key Term:
If the user is on www.web.dev and requests an image from static.web.dev then that is a same-site request.
The public suffix list defines this, so it's not just top-level domains like .com but also includes services like github.io. That enables your-project.github.io and my-project.github.io to count as separate sites.
回答1:
I wrote the article, so I'll try to go back and clarify that section. The term "site" in this context has a specific technical meaning, much more tightly defined than when we're just referring to a web site. The important concept to understand here is the idea that a "site" represents a security boundary, i.e. everything under that point is controlled by a single administrative organisation.
So, web.dev
is the site, which is it's effective top-level domain (dev
) plus the single label to the left (web.
). Any sub-domains under that are still controlled by the web.dev
site, e.g. images.web.dev
or thumbnails.images.web.dev
for example. Because a server can just create arbitrary numbers of sub-domains, they have no meaning in terms to separating the data sent to that domain from the browser.
The term "eTLD+1" is often used as well, which means effective top-level domain + 1 label to the left. The reason for "effective" in that definition is where the Public Suffix List comes in. That's what allows the separation of sites on hosting services like GitHub sites or Google App Engine.
So, for example com
is a TLD. That means a.com
, b.com
, and c.com
are all separate sites because each of those domain names must be registered separately. However, sub1.a.com
, sub2.a.com
, and sub3.a.com
can all be created arbitrarily by that domain without any registration.
However, github.io
is an effective TLD because it hosts lots of separate projects, therefore a.github.io
, b.github.io
, and c.github.io
are all separately registered projects. However (if it was allowed by the platform) sub1.a.github.io
and sub2.a.github.io
are part of the same project.
You can see the definitions here:
- https://url.spec.whatwg.org/#host-registrable-domain
- https://developer.mozilla.org/en-US/docs/Glossary/Site
来源:https://stackoverflow.com/questions/59395892/how-come-requests-from-a-www-subdomain-to-a-different-subdomain-considered-sa