From 4e68628f68b3d7e48e08a8957e6ec4c2e6b3bf91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicol=C3=A1s=20Pe=C3=B1a=20Moreno?= Date: Wed, 4 Oct 2023 14:55:28 -0400 Subject: [PATCH] same domain --- spec/index.bs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/spec/index.bs b/spec/index.bs index 133f224e..e68c2cbb 100644 --- a/spec/index.bs +++ b/spec/index.bs @@ -1168,8 +1168,8 @@ To fetch request given a [=/request=] |request|, |globalObject|, and
When computing the manifest URL given an {{IdentityProviderConfig}} |provider|, a -[=string=] |manifestString|, and |globalObject|, perform the following steps. This returns a -URL or failure. +[=string=] |manifestString|, a boolean |requireSameOrigin|, and |globalObject|, perform the +following steps. This returns a URL or failure. 1. Let |configUrl| be the result of running [=parse url=] with |provider|'s {{IdentityProviderConfig/configURL}} and |globalObject|. 1. Let |manifestUrl| be the result of running [=parse url=] given |manifestString| (the relative @@ -1180,7 +1180,10 @@ When computing the manifest URL given an {{IdentityProviderConfig}} | allowed. 1. If |manifestUrl| is failure, return failure. - 1. If |manifestUrl| is not [=same origin=] with |configUrl|, return failure. + 1. If |requireSameOrigin| and |manifestUrl| is not [=same origin=] with |configUrl|, return + failure. + 1. If |requireSameOrigin| is false and |manifestUrl|'s domain is not equal to + |configUrl|'s, return failure. 1. If |manifestUrl| is not a [=potentially trustworthy URL=], return failure. 1. Return |manifestUrl|.