Intent to Ship: Origin API
98 views
Skip to first unread message
Chromestatus
Nov 19, 2025, 9:47:37 AM (16 hours ago) Nov 19
to blin...@chromium.org, mk...@chromium.org
Contact emails
mk...@chromium.orgExplainer
https://mikewest.github.io/origin-apiSpecification
https://github.com/whatwg/html/pull/11846
Summary
The origin is a fundamental component of the web’s implementation, essential to both the security and privacy boundaries which user agents maintain. The concept is well-defined between HTML and URL, along with widely-used adjacent concepts like "site".
Origins, however, are not directly exposed to web developers. Though there are various origin getters on various objects, each of those returns the ASCII serialization of an origin, not the origin itself. This has a few negative implications. Practically, developers attempting to do same-origin or same-site comparisons when handling serialized origins often get things wrong in ways that lead to vulnerabilities. Philosophically, it seems like a missing security primitive that developers struggle to polyfill accurately.
We can address this gap in the platform by introducing an Origin object that encapsulates the origin concept, and provides helpful methods for comparison, serialization, parsing, and etc.
Blink component
Blink>SecurityFeatureWeb Feature ID
Missing feature
Motivation
No information provided
Initial public proposal
https://github.com/whatwg/html/issues/11534TAG review
https://github.com/w3ctag/design-reviews/issues/1130
TAG review status
Issues addressed
Risks
Interoperability and Compatibility
No information provided
Gecko: No signal (https://github.com/mozilla/standards-positions/issues/1280)
WebKit: No signal (https://github.com/WebKit/standards-positions/issues/538) Tending towards positive.
Web developers: No signals
Other signals:
Security
Ideally, this will resolve security risks rather than creating them. That said, it is the first time we're exposing the same-site concept directly, and if developers aren't careful about how they do those comparisons (especially between browsers or browser versions with differing versions of the PSL), there's some risk that they'd cache an old decision that doesn't apply in the current version of the browser.WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
No information providedDebuggability
No special support; this is an API debuggable via devtools like any other.
Will this feature be supported on all six Blink platforms
(Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
YesIs this feature fully tested by web-platform-tests?
Yes
https://wpt.fyi/results/html/browsers/origin/?label=master&label=experimental&aligned
Flag name on about://flags
No information provided
Finch feature name
OriginAPI
Rollout plan
Will ship enabled for all usersRequires code in //chrome?
FalseTracking bug
https://issues.chromium.org/issues/434131026Estimated milestones
| Shipping on desktop | 144 |
| Shipping on Android | 144 |
| Shipping on WebView | 144 |
Anticipated spec changes
Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).
No information providedLink to entry on the Chrome Platform Status
https://chromestatus.com/feature/5095541277065216?gate=6604674545352704
This intent message was generated by
Chrome Platform Status.
Daniel Bratell
Nov 19, 2025, 10:21:37 AM (16 hours ago) Nov 19
to Chromestatus, blin...@chromium.org, mk...@chromium.org
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/691dd83d.050a0220.2a427a.045f.GAE%40google.com.
Yoav Weiss (@Shopify)
Nov 19, 2025, 11:16:27 AM (15 hours ago) Nov 19
to Daniel Bratell, Chromestatus, blin...@chromium.org, mk...@chromium.org
Can you flip all the review bits in chromestatus.com? (enterprise, debuggability and testing are missing)
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/4818ba16-efe4-45ce-ad90-e027b62bbce8%40gmail.com.
Alex Russell
Nov 19, 2025, 11:35:20 AM (14 hours ago) Nov 19
to blink-dev, Yoav Weiss, Chromestatus, blin...@chromium.org, Mike West, Daniel Bratell
Thanks for the explainer link, Daniel.
Mike:
Saw a few considered alternatives in the explainer, which is great. Have you considered how this might be added to the URL object instead? Did you reject that for a reason I couldn't see?
Best,
Alex
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/691dd83d.050a0220.2a427a.045f.GAE%40google.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
Reply all
Reply to author
Forward
0 new messages