Why
The vocabulary layer has a cross-origin policy for fetched and embedded objects. This is security-sensitive: a remote document can embed an object whose @id points at a different origin, and callers need predictable behavior for ignore, throw, and trust.
There are already many FEP-fe34 tests in packages/vocab/src/vocab.test.ts, but the policy is split between generated accessor code, lookupObject(), and constructor-created objects. The expected behavior should be clear enough that a future generated-code change does not weaken it by accident.
Current code
Generated property accessors in packages/vocab-tools/src/property.ts apply crossOrigin checks for fetched objects and cached embedded objects. lookupObject() has a related check in packages/vocab/src/lookup.ts. Tests cover fetched cross-origin objects, arrays, same-origin embedded objects, and the difference between constructor-created and JSON-LD-parsed embedded objects.
Scope
Please consolidate the policy in tests and documentation comments. The work should make these cases explicit:
- fetched object document URL origin versus returned object
@id origin;
- JSON-LD embedded object origin versus owning object
@id origin;
- constructor-provided embedded objects and why they are treated as trusted local values;
- array properties and functional properties behaving consistently;
- the effect of
crossOrigin: "ignore", crossOrigin: "throw", and crossOrigin: "trust".
If the generated accessor code has duplicated policy branches, consider a small generator-level helper to keep the behavior consistent. Keep generated output changes mechanical.
Non-goals
Do not change the default policy from ignore. Do not edit generated files by hand. Do not loosen the policy to improve compatibility without an explicit option.
Suggested checks
Add tests in packages/vocab/src/vocab.test.ts and packages/vocab/src/lookup.test.ts. If generator code changes, run the code generation task and include the generated updates.
Why
The vocabulary layer has a cross-origin policy for fetched and embedded objects. This is security-sensitive: a remote document can embed an object whose
@idpoints at a different origin, and callers need predictable behavior forignore,throw, andtrust.There are already many FEP-fe34 tests in packages/vocab/src/vocab.test.ts, but the policy is split between generated accessor code,
lookupObject(), and constructor-created objects. The expected behavior should be clear enough that a future generated-code change does not weaken it by accident.Current code
Generated property accessors in packages/vocab-tools/src/property.ts apply
crossOriginchecks for fetched objects and cached embedded objects.lookupObject()has a related check in packages/vocab/src/lookup.ts. Tests cover fetched cross-origin objects, arrays, same-origin embedded objects, and the difference between constructor-created and JSON-LD-parsed embedded objects.Scope
Please consolidate the policy in tests and documentation comments. The work should make these cases explicit:
@idorigin;@idorigin;crossOrigin: "ignore",crossOrigin: "throw", andcrossOrigin: "trust".If the generated accessor code has duplicated policy branches, consider a small generator-level helper to keep the behavior consistent. Keep generated output changes mechanical.
Non-goals
Do not change the default policy from
ignore. Do not edit generated files by hand. Do not loosen the policy to improve compatibility without an explicit option.Suggested checks
Add tests in packages/vocab/src/vocab.test.ts and packages/vocab/src/lookup.test.ts. If generator code changes, run the code generation task and include the generated updates.