How come requests from a “www” subdomain to a different subdomain considered “same-site”?

左心房为你撑大大i 提交于 2021-01-28 18:13:35

问题


Why does www.web.dev and static.web.dev count as the same site, while your-project.github.io and my-project.github.io count as different sites?

There's a part from this page (https://web.dev/samesite-cookies-explained/) that is confusing me:

Key Term:

If the user is on www.web.dev and requests an image from static.web.dev then that is a same-site request.

The public suffix list defines this, so it's not just top-level domains like .com but also includes services like github.io. That enables your-project.github.io and my-project.github.io to count as separate sites.


回答1:


I wrote the article, so I'll try to go back and clarify that section. The term "site" in this context has a specific technical meaning, much more tightly defined than when we're just referring to a web site. The important concept to understand here is the idea that a "site" represents a security boundary, i.e. everything under that point is controlled by a single administrative organisation.

So, web.dev is the site, which is it's effective top-level domain (dev) plus the single label to the left (web.). Any sub-domains under that are still controlled by the web.dev site, e.g. images.web.dev or thumbnails.images.web.dev for example. Because a server can just create arbitrary numbers of sub-domains, they have no meaning in terms to separating the data sent to that domain from the browser.

The term "eTLD+1" is often used as well, which means effective top-level domain + 1 label to the left. The reason for "effective" in that definition is where the Public Suffix List comes in. That's what allows the separation of sites on hosting services like GitHub sites or Google App Engine.

So, for example com is a TLD. That means a.com, b.com, and c.com are all separate sites because each of those domain names must be registered separately. However, sub1.a.com, sub2.a.com, and sub3.a.com can all be created arbitrarily by that domain without any registration.

However, github.io is an effective TLD because it hosts lots of separate projects, therefore a.github.io, b.github.io, and c.github.io are all separately registered projects. However (if it was allowed by the platform) sub1.a.github.io and sub2.a.github.io are part of the same project.

You can see the definitions here:

  • https://url.spec.whatwg.org/#host-registrable-domain
  • https://developer.mozilla.org/en-US/docs/Glossary/Site


来源:https://stackoverflow.com/questions/59395892/how-come-requests-from-a-www-subdomain-to-a-different-subdomain-considered-sa

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!