Structure
WebURL.Origin
public struct Origin Origins are the fundamental currency of the Web's security model.
Two actors in the Web platform that share an origin are assumed to trust each other and to have the same authority. Actors with differing origins are considered potentially hostile versus each other, and are isolated from each other to varying degrees.
The origin is not an attribute or component of a URL; it is a value which may be computed from a URL.
The only URLs for which meaningful origins may be computed are:
-
Those with the http, https, ftp, ws, or wss schemes (i.e. the "special" schemes, excluding file), and
-
Those with the "blob" scheme, which have an opaque path containing another URL.
Computing an origin using any other URL results in an opaque origin, which is defined to be an "internal value, with no serialization it can be recreated from, [...] and for which the only meaningful operation is testing for equality." (HTML Standard).
The URL standard requires every computation of an opaque origin to result in a new value; and the HTML standard builds on that by computing new opaque origins at specific times for specific elements or browsing context, when it desires more specific behaviour for trust/security domains.
This type deviates slightly from the URL standard in that it separates computing an origin using a URL from establishing a new trust/security domain.
Opaque origins are instead considered to be undefined security domains - it does not matter if you call url.origin again or store
a previously-computed origin in your application state; an opaque origin will never compare as being "same origin" with anything, even itself.
This behaviour is in some respects analogous to a floating-point NaN value.
Instead, if an application wishes to establish a trust/security domain, it should do so explicitly by using an augmented origin type, for instance:
enum ApplicationSpecificOrigin {
case derivedFromURL(WebURL.Origin) // security domain is 'obvious' due to URL scheme known by the standard.
case applicationDefined(T) // A security domain which has been established by application-specific logic.
case undefinedOpaque // opaque origin, application unable to determine a security domain.
}
This can also be useful to define application-specific origins for "file" URLs, which the URL standard leaves as "an exercise for the reader".
It is also recommended to read RFC-6456 ("The Web Origin Concept") for a holistic understanding of the origin-based security model.
Relationships
Member Of
WebURLA Uniform Resource Locator (URL) is a universal identifier, which often describes the location of a resource.
Conforms To
CustomStringConvertibleEquatableHashable
Properties
description
public var description: String
isOpaque
public var isOpaque: Bool If true, this is an opaque origin with no meaningful value for use as a trust or security domain.
Note that, analogous to floating-point NaN values, opaque origins are not considered same-origin with themselves.
This also means that opaque origins compare as not equal using the == operator, and should not be stored in hash-tables
such as Set or Dictionary, as they will always insert in to the table and degrade its performance:
let myURL = WebURL("foo://exampleHost:4567/")!
myURL.origin.isOpaque // true. WebURL is unable to define a security domain for "foo" URLs.
myURL.origin == myURL.origin // false!
var seenOrigins: Set = [myURL.origin]
seenOrigins.contains(myURL.origin) // false!
seenOrigins.insert(myURL.origin) // always inserts! lots of hash collisions!
serialized
public var serialized: String The string representation of this origin.
The serialization of an origin is defined in the HTTP specification.
Methods
hash(into:)
public func hash(into hasher: inout Hasher) Operators
==
public static func == (lhs: WebURL.Origin, rhs: WebURL.Origin) -> Bool Whether this origin is considered "same origin" with respect to another origin.
Note that this always returns false for opaque origins.