Closed yorkie closed 2 years ago
reillyeon
commented
2 years ago An origin actually does consider both the host and port. See the definition from the HTML specification here: https://html.spec.whatwg.org/multipage/origin.html#concept-origin
Are you seeing different behavior in the Chromium implementation?
yorkie
commented
2 years ago Weird a bit, location.origin returns hostname:port, however when I changed the port, the chrome chooser tells that it's paired, I will have a look later.
reillyeon
commented
2 years ago I don't think the window.location.origin attribute is writable (or at least, the browser ignores writes to it) so changing the port there won't change the security principle of the page.
yorkie
commented
2 years ago @reillyeon I just use location.origin to verify if the origin contains the port part, and I won't change the port in that way, actually I did change the port by xxx start --port <port>.
reillyeon
commented
2 years ago I can't reproduce this behavior. The steps I tried:
yorkie
commented
2 years ago You are right, closing this issue :)
Background
I'm working on addressing an authentication issue about a WebADB library, which fails to authenticate when the website port has been changed, this is because the library uses
localStorageto save the ADB cert and key to match with the device, however, thelocalStoragecould not be shared between different ports(domains). In other words, this might be an inconsistent behavior between thelocalStorageandWebUSB.Implementations
I have browsed some of the chromium source code, see the
UsbChooserContext:: HasDevicePermissionmethod, it uses theoriginnamely hostname, rather than thehost(port not included).Proposal
This spec doesn't specify how the UA should implement this part, if this proposal looks good to you guys, I can add some related.