JavaScript how to uniquely identify a website

Question

I am writing an extension for chrome, but there might be regular JavaScript solutions to my question too.

My extensions enhances / extends the APIs available for websites.

For example, a website can request access to UDP sockets from my extension, and the user will be prompted for permission.

When the user is prompted if they want to give access for that feature to the site, I need to remember what sites have access to what features.

What is the best form of website identification, either obtainable in regular javascript, or using the chrome extension APIs?

My ideas

• The domain name could work, but on a domain such as appspot.com, when a single app requests permission, all apps under that domain now have access.

• The problem with looking at the sub domain is that you will often need permission across your entire domain.

• The solution I thought made the most sense (only applies to HTTPS) was to look at the domain certificate. I should be able to compare the public key or something and then it is consistent with the certificate. If I know correctly, you can choose to create a certificate for an entire domain or just a subdomain etc. Sadly there doesn't seem to be any way to access certificate info in JavaScript, and the chrome extension API does not seem to provide anything either. This really did seem like a perfect solution.

Answer 1

The standard identification in all of the web for permissions is the URL origin i.e. scheme://host:port (the port is optional) which you can extract either via manual string manipulation or as new URL(urlString).origin, although this one is slower especially for superlong string like data URI.

To defuse the domain problem use the Public Suffix List, there are lots of libraries (link and link).