And can someone explain how I'm supposed to implement SSO? We have a bunch of subdomains that support SSO by communicating with an iframe that has the logon status stored, but it appears that the iframe wouldn't have access to its own data anymore. Is that right?
notriddle|3 years ago
According to MDN:
> More specifically, Firefox double-keys all client-side state by the origin of the resource being loaded and by the top-level site. [1]
They linked the definition of a "site" to the HTML5 spec, which says this:
> To obtain a site, given an origin origin, run these steps: [2]
> 1. If origin is an opaque origin, then return origin.
> 2. If origin's host's registrable domain is null, then return (origin's scheme, origin's host).
> 3. Return (origin's scheme, origin's host's registrable domain).
The HTML5 spec refers to the site's registrable domain according to the URL spec:
> A host’s registrable domain is a domain formed by the most specific public suffix, along with the domain label immediately preceding it, if any. [3]
Public Suffixes are defined according to a database that you have to explicitly register in [4]. If you aren't sure whether your base domain is registered as a public suffix, then it probably isn't.
[1]: https://developer.mozilla.org/en-US/docs/Web/Privacy/State_P...
[2]: https://html.spec.whatwg.org/multipage/origin.html#site
[3]: https://url.spec.whatwg.org/#host-registrable-domain
[4]: https://publicsuffix.org/
three14|3 years ago