Contact emails
dhaus...@google.com, mk...@chromium.org
Spec
https://wicg.github.io/origin-policy/
https://github.com/w3ctag/design-reviews/issues/127
Summary
Origin Policy aims to provide servers with the ability to configure various settings with origin-wide impact. The goal is to provide a home for existing origin-wide configuration options like Strict-Transport-Security (HSTS), and extend those configurations with other useful settings. For example, it will give developers the ability to set a baseline Content Security Policy (CSP), assert default CORS settings, and so on.
Motivation
Web servers can set HTTP headers with origin-wide impact, for examples Strict-Transport-Security (HSTS) or Public-Key-Pins (HPKP). A clean way to define such settings is missing from the platform as it applies today. A seemingly harmless response of a slightly misconfigured web app can dramatically impact everything else under the same origin. Origin Policy aims to fill this gap by providing a centralized configuration point for the entire origin.
But Origin Policy has the potential to do even more. We envision
baseline options which apply to every response. For example a HSTS header must no longer be sent with every response which highly reduces redundancy.
fallback options which apply whenever a configuration was not explicitly set. For example a web app might forget to set a CSP for its error page. A fallback CSP however can step in at this point and secure the page.
CORS settings which can boost performance by providing preflight responses.
Origin Policy will not be limited to the above mentioned headers and options but also seems like a useful primitive which will give us a flexible extension point for the configuration options we want to add to the web platform in the future.
Interoperability and Compatibility Risk
None. The mechanism is designed such that it notifies the server if the user agent implements it. The server can then decide to use this feature or not. We therefore do not see any risks for interoperability and compatibility.
Ongoing technical constraints
None.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.
OWP launch tracking bug
Link to entry on the feature dashboard
https://www.chromestatus.com/feature/5708023506927616
Requesting approval to ship?
No.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/94366565-7dbf-4797-b86d-0dff0592f129%40chromium.org.