Skip to content

Document and test cross-origin embedded object policy #904

Description

@dahlia

Why

The vocabulary layer has a cross-origin policy for fetched and embedded objects. This is security-sensitive: a remote document can embed an object whose @id points at a different origin, and callers need predictable behavior for ignore, throw, and trust.

There are already many FEP-fe34 tests in packages/vocab/src/vocab.test.ts, but the policy is split between generated accessor code, lookupObject(), and constructor-created objects. The expected behavior should be clear enough that a future generated-code change does not weaken it by accident.

Current code

Generated property accessors in packages/vocab-tools/src/property.ts apply crossOrigin checks for fetched objects and cached embedded objects. lookupObject() has a related check in packages/vocab/src/lookup.ts. Tests cover fetched cross-origin objects, arrays, same-origin embedded objects, and the difference between constructor-created and JSON-LD-parsed embedded objects.

Scope

Please consolidate the policy in tests and documentation comments. The work should make these cases explicit:

  • fetched object document URL origin versus returned object @id origin;
  • JSON-LD embedded object origin versus owning object @id origin;
  • constructor-provided embedded objects and why they are treated as trusted local values;
  • array properties and functional properties behaving consistently;
  • the effect of crossOrigin: "ignore", crossOrigin: "throw", and crossOrigin: "trust".

If the generated accessor code has duplicated policy branches, consider a small generator-level helper to keep the behavior consistent. Keep generated output changes mechanical.

Non-goals

Do not change the default policy from ignore. Do not edit generated files by hand. Do not loosen the policy to improve compatibility without an explicit option.

Suggested checks

Add tests in packages/vocab/src/vocab.test.ts and packages/vocab/src/lookup.test.ts. If generator code changes, run the code generation task and include the generated updates.

Metadata

Metadata

Assignees

No one assigned

    Fields

    Priority

    Low

    Effort

    High

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions