来自"www"的请求为何如此?子域到另一个被视为“相同站点"的子域? [英] How come requests from a "www" subdomain to a different subdomain considered "same-site"?
问题描述
为什么 www.web.dev 和 static.web.dev 计为同一站点,而 your-project.github.io 和 my-project.github.io 算作其他站点吗?
Why does www.web.dev and static.web.dev count as the same site, while your-project.github.io and my-project.github.io count as different sites?
此页面有一部分( https://web.dev/samesite-cookies-explained/)使我感到困惑:
There's a part from this page (https://web.dev/samesite-cookies-explained/) that is confusing me:
关键术语:
如果用户在www.web.dev上并要求从那么static.web.dev就是同一个站点请求.
If the user is on www.web.dev and requests an image from static.web.dev then that is a same-site request.
公共后缀列表对此进行了定义,因此它不仅是顶级的.com之类的域名,还包括github.io之类的服务.那使your-project.github.io和my-project.github.io计为单独的网站.
The public suffix list defines this, so it's not just top-level domains like .com but also includes services like github.io. That enables your-project.github.io and my-project.github.io to count as separate sites.
推荐答案
我写了这篇文章,因此我将尝试回过头来澄清该部分.在这种情况下,站点"一词具有特定的技术含义,比我们仅指网站时的定义更为严格.这里要理解的重要概念是站点"代表安全边界的想法,即该点下的所有内容均由单个管理组织控制.
I wrote the article, so I'll try to go back and clarify that section. The term "site" in this context has a specific technical meaning, much more tightly defined than when we're just referring to a web site. The important concept to understand here is the idea that a "site" represents a security boundary, i.e. everything under that point is controlled by a single administrative organisation.
因此, web.dev 是站点,它是有效的顶级域( dev )加上左侧的单个标签( web.).该网站下的所有子域仍受 web.dev 网站控制,例如例如 images.web.dev 或 thumbnails.images.web.dev .因为服务器只能创建任意数量的子域,所以它们对于将发送到该域的数据与浏览器分开没有任何意义.
So, web.dev is the site, which is it's effective top-level domain (dev) plus the single label to the left (web.). Any sub-domains under that are still controlled by the web.dev site, e.g. images.web.dev or thumbnails.images.web.dev for example. Because a server can just create arbitrary numbers of sub-domains, they have no meaning in terms to separating the data sent to that domain from the browser.
也经常使用术语"eTLD + 1",这表示有效的顶级域+左侧的1个标签.该定义中有效"的原因是公共后缀列表的出现.这是允许在托管服务(例如GitHub站点或Google App Engine)上分离站点的原因.
The term "eTLD+1" is often used as well, which means effective top-level domain + 1 label to the left. The reason for "effective" in that definition is where the Public Suffix List comes in. That's what allows the separation of sites on hosting services like GitHub sites or Google App Engine.
因此,例如 com 是一个TLD.这意味着 a.com , b.com 和 c.com 都是单独的站点,因为这些域名中的每一个都必须分别注册.但是,该域可以任意创建 sub1.a.com , sub2.a.com 和 sub3.a.com 任何注册.
So, for example com is a TLD. That means a.com, b.com, and c.com are all separate sites because each of those domain names must be registered separately. However, sub1.a.com, sub2.a.com, and sub3.a.com can all be created arbitrarily by that domain without any registration.
但是, github.io 是有效的TLD,因为它托管许多单独的项目,因此 a.github.io , b.github.io 和 c.github.io 都是单独注册的项目.但是(如果平台允许) sub1.a.github.io 和 sub2.a.github.io 是同一项目的一部分.
However, github.io is an effective TLD because it hosts lots of separate projects, therefore a.github.io, b.github.io, and c.github.io are all separately registered projects. However (if it was allowed by the platform) sub1.a.github.io and sub2.a.github.io are part of the same project.
您可以在此处查看定义:
You can see the definitions here:
这篇关于来自"www"的请求为何如此?子域到另一个被视为“相同站点"的子域?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
