Closed yorkie closed 2 years ago
An origin actually does consider both the host and port. See the definition from the HTML specification here: https://html.spec.whatwg.org/multipage/origin.html#concept-origin
Are you seeing different behavior in the Chromium implementation?
Weird a bit, location.origin
returns hostname:port
, however when I changed the port, the chrome chooser tells that it's paired, I will have a look later.
I don't think the window.location.origin
attribute is writable (or at least, the browser ignores writes to it) so changing the port there won't change the security principle of the page.
@reillyeon I just use location.origin
to verify if the origin
contains the port part, and I won't change the port in that way, actually I did change the port by xxx start --port <port>
.
I can't reproduce this behavior. The steps I tried:
You are right, closing this issue :)
Background
I'm working on addressing an authentication issue about a WebADB library, which fails to authenticate when the website port has been changed, this is because the library uses
localStorage
to save the ADB cert and key to match with the device, however, thelocalStorage
could not be shared between different ports(domains). In other words, this might be an inconsistent behavior between thelocalStorage
andWebUSB
.Implementations
I have browsed some of the chromium source code, see the
UsbChooserContext:: HasDevicePermission
method, it uses theorigin
namely hostname, rather than thehost
(port not included).Proposal
This spec doesn't specify how the UA should implement this part, if this proposal looks good to you guys, I can add some related.