What is top-level navigation in browser terminology and in what ways it can be triggered?

About

Asked 25/5, 2021 at 13:56 Answered 22/12, 2022 at 21:16

When reading about SameSite attribute I came across the term top-level navigation.

As I understood it, it's when user has website1.com open in browser and then clicks the link that navigates browser to some other site eg. website2.com. But this is a loose definition.

So what exactly is top-level navigation in browser terminology? Is there some specification or RFC with strict definition of this term?

Can it be triggered in ways other than clicking a link that leads to another website (ie. having <a href="website2.com">website2.com</a> on website1.com)? What about if I just enter website2.com url directly in the browser's navigation bar, is that considered a top-level navigation?

Also, is top-level navigation important in other areas of browser/http/security beside using it with cookies and SameSite attribute?

Hifi answered 25/5, 2021 at 13:56 Comment(5)

“top-level navigation” is shorthand for “navigating a top-level browsing context”, and the relevant RFC here is datatracker.ietf.org/doc/html/draft-ietf-httpbis-rfc6265bis, which is an update to datatracker.ietf.org/doc/html/rfc6265. See specifically substep 3 at datatracker.ietf.org/doc/html/…. – Turki 25/5, 2021 at 14:55

And for the definition of “top-level browsing context”, see html.spec.whatwg.org/multipage/… — “A browsing context that has no parent browsing context is the top-level browsing context for itself and all of the browsing contexts for which it is an ancestor browsing context.” – Turki 25/5, 2021 at 15:1

So, further navigation within "website2.com" is not a top-level navigation anymore? It's just the "first access" to the linked website? – Prebo 19/12, 2022 at 11:3

@EricBurel that is my current guess as well (if I can confirm this I can put it as an answer), where as the OP says an anchor tag at website1.com navigating you to website2.com is TLN (top level navigation), but hardcoding the URL while at website1.com to website2.com (enter) is not a TLN. Hence why the strict value means that website1.com navigating to login.website1.com at a different subdomain (even with the same domain) means no cookies will be sent. – Fagan 20/4, 2023 at 18:31

In an example where website1.com is a gaming site and a user has received "1 free skin", when the user opens the confirmation e-mail at "gmail.com" which leads them to "website1.com/free?skin=abc" then auth-cookie with "sameSite: 'Lax'" will successfully verify the user and grant them 1 free skin VS a same situation with auth-cookie with "sameSite: 'Strict'" will not be send to the server and the request would fail and the user won't receive anything. – Fagan 20/4, 2023 at 18:47

Basically, TOP LEVEL navigation changes the URL in your address bar. Resources that are loaded by iframe, img tags, and script tags do not change the URL in the address bar so none of them cause TOP LEVEL navigation.

Discomposure answered 22/12, 2022 at 21:16 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags