[Origin API] Define an Origin interface. (#11534)

[mikewest]

This patch adds the Origin interface to HTML by shifting the normative
portions of https://mikewest.github.io/origin-api/ into this document.

As a followup, this will require changes to [[URL]] and [[ServiceWorker]] as well to define the "extract an origin" for relevant objects.

See discussion in w3ctag/design-reviews#1130, WebKit/standards-positions#538, and mozilla/standards-positions#1280.

• At least two implementers are interested (and none opposed):
  • I'm interested on Chromium's behalf.
  • An Origin Object WebKit/standards-positions#538 is tending positive, though @annevk and @marcoscaceres have provided positive feedback.
  • An Origin Object mozilla/standards-positions#1280 is similarly inconclusive.
• Tests are written and can be reviewed and commented upon at:
  • https://wpt.fyi/results/html/browsers/origin/tentative/api?label=master&label=experimental&aligned&q=origin%2Ftentative%2F has an initial pass at tests. If this is something folks agree to add to the platform, I'll make them non-tentative.
• Implementation bugs are filed:
  • Chromium: https://issues.chromium.org/issues/434131026
  • Gecko: https://bugzilla.mozilla.org/show_bug.cgi?id=2001139
  • WebKit: https://bugs.webkit.org/show_bug.cgi?id=302785
• MDN issue is filed: Document the Origin API. mdn/mdn#767
• The top of this comment includes a clear commit message to use.

(See WHATWG Working Mode: Changes for more details.)

---

/browsers.html ( diff )
/comms.html ( diff )
/index.html ( diff )
/links.html ( diff )
/webappapis.html ( diff )
/workers.html ( diff )

[zcorpan]

I would like to see mikewest/origin-api#6 addressed.

[annevk]

Some editorial comments. Generally this looks good to me.

[mikewest]

I added this note in response to @erik-anderson's suggestion in mikewest/origin-api#11. Otherwise, I think this PR is pretty good to go.

If @annevk and @zcorpan are happy-enough, I'll go file bugs against browsers, and see if Chromium folks will let me get it out the door.

WDYT?

[annevk]

I'm not a big fan of this as there's quite a number of APIs this applies to and I don't think we want to call this out all over. I could maybe see adding it to URL (or even better would be the Public Suffix standard once we finally rescue that project from its current state).

[mikewest]

Ok. I've taken it back out, and I'll put it up as a PR against URL.

[annevk]

Suggested change

	with <var>other</var>'s <span data-x="dom-Origin-origin">origin</span>, and false otherwise.</p>
	with <var>other</var>'s <span data-x="dom-Origin-origin">origin</span>; otherwise false.</p>

[annevk]

I'm not a big fan of this as there's quite a number of APIs this applies to and I don't think we want to call this out all over. I could maybe see adding it to URL (or even better would be the Public Suffix standard once we finally rescue that project from its current state).

[mikewest]

Thanks!

[mikewest]

Ok. I've taken it back out, and I'll put it up as a PR against URL.

[annevk]

I was looking at this again today thinking about Document vs Window and now I wonder about Location and WorkerLocation.

I followed blame back to https://bugzilla.mozilla.org/show_bug.cgi?id=931884#c10 (starting at 6bdba31) which suggests to me that obtaining an Origin from Location or WorkerLocation is not something we should offer by default. You can still do it by passing location.href, if you really know what you're doing, but in general those objects don't really hold the authority and so we shouldn't encourage that.

For a moment I thought they'd work anyway because of the string overload, but because we take any it's different I think and we won't attempt to coerce any argument to a string. Which in this case seems for the best.

[mikewest]

I followed blame back to https://bugzilla.mozilla.org/show_bug.cgi?id=931884#c10 (starting at 6bdba31) which suggests to me that obtaining an Origin from Location or WorkerLocation is not something we should offer by default. You can still do it by passing location.href, if you really know what you're doing, but in general those objects don't really hold the authority and so we shouldn't encourage that.

I understand your point, but it seems unlikely we're going to be able to get rid of location.origin given its usage, it would be slightly odd for this to be the only interface with an origin property that Origin.from() wouldn't support. I think I'd suggest erring on the side of consistency, but I don't hold that opinion too strongly.

[annevk]

Right, I don't mean to suggest we get rid of that. Each URL-like object should support that, but I do think it's worth trying to hold the line here and get people to adopt the pattern that'll do the right thing in sandboxed environments and the like. We can always relent later. I'm also not entirely sure about <a> and <area>. The use cases for strings, globals, and message events seem clear though.

[mikewest]

Ah, got it. Sandboxed contexts in which the origin differs between Location and Window seem like a sufficiently sharp edge that I think I'm convinced that dropping Location to start with is pretty reasonable. If we decide to add it later, it's trivial.

I don't know of any particularly valuable use cases for HTMLHyperlinkElementUtils, but it seems non-harmful in the same way strings and URLs are. 🤷 I'd just drop Location.

[annevk]

That works for me. I wonder how much longer we want to wait with feedback. Perhaps the Wednesday after Thanksgiving week (Dec 3) is a reasonable time to merge this if nothing else comes up (modulo the Location change)?

[mikewest]

I took care of dropping Location and WorkerLocation in 2d77ad2, and I'll up a CL against Chromium to do the same. I'm fine with giving folks a little more time to weigh in. No rush.

[annevk]

One other thing we need by that date is a WPT PR to make the tests non-tentative and account for the recent changes.