Intent to Prototype: Origin Policy

[Domenic Denicola]

(A version of this was previously sent 2017-08-04, but we thought it was worth a new thread.)

Contact emails dom...@chromium.org,voge...@chromium.org,mk...@chromium.org,wjma...@chromium.org Explainer https://github.com/WICG/origin-policy/blob/master/README.md Design docs/spec Specification: https://wicg.github.io/origin-policy/ TAG review https://github.com/w3ctag/design-reviews/issues/127 Summary Origin Policy provides a mechanism for defining configuration options with origin-wide impact.

This intent covers Origin Policy infrastructure and support for Content Security Policy and Feature Policy policy items. Future intents will be sent for other policy items. Motivation Developers set a number of properties associated with resources on an origin by delivering resource-specific HTTP response headers and meta elements. However, the existing delivery mechanism is ill-suited to the task, suffering from a clear mismatch between the resource-specific nature of the metadata declarations on the one hand, and the origin-wide intent of the metadata on the other. Origin policy provides a centralized per-origin location for configurations that can apply across an origin, such as CSP, feature policy, origin isolation, network error logging, and more. Risks

Interoperability and Compatibility This specification is receiving active engagement and review from Mozilla, as well as some review from the W3C WebAppSec Working Group where other browser vendors participate. Enthusiasm seems generally high for implementing this, so we hope that this will become an interoperable part of the web platform. Origin policy should not cause any compatibility risk as it is an opt-in feature. Even if (for some reason) people are sending Origin-Policy headers and responding to /.well-known/origin-policy requests today, these will almost certainly be invalid, and thus have no effect. Firefox: Public support ("worth prototyping") Edge: No public signals Safari: No public signals Web developers: Positive (e.g. Twitter, others in the W3C WebAppSec group, Google partners). Note that most are excited about the specific things enabled by origin policy in the future; I have not come across any excitement for the two policy items in this intent (feature policy and CSP). Ergonomics Since the origin policy manifest is a carrier for policies, it is definitely used in tandem with other technologies. In general, each "policy item" in the origin policy manifest is based on some other specific technology. This API does add the potential for additional HTTP fetches when hitting an origin, which (if the developer requests) can block loading resources from the origin. This is something we'll be keeping a close eye on while testing the feature with partners. Activation This feature requires ability to control origin-wide configuration by responding to /.well-known/origin-policy requests. This is an intentional activation barrier to ensure that this powerful configuration mechanism is done only by those with control over the entire origin. This feature is not currently specced to be feature-detectable, but we are discussing whether to add that back to the spec. Whether this is worthwhile depends largely on how people end up using origin policy in practice, which prototyping will help us discover. Security See https://wicg.github.io/origin-policy/#privacy-and-security.

Debuggability It would be ideal to add the ability to view the current origin policy in DevTools (crbug.com/1041651). Also, currently requests to retrieve the origin policy are hidden from DevTools; probably they should be shown (crbug.com/1041650). Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)? Yes Is this feature fully tested by web-platform-tests? The intention is yes. https://wpt.fyi/results/origin-policy currently contains tests reflecting the current state of the Chromium implementation, which is halfway between the 2017 spec and the current spec. We will be updating these as we prototype.

It may be a bit difficult to test, but we think we can do it.

Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5708023506927616

This intent message was generated by Chrome Platform Status.

[Yoav Weiss]

Excited to see this work on Origin Policy! So many use-cases... :)

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAM0wra-%3DJUM6Jmm8YeD9_01d_bUwpniMtuJzWZFyOg2NUdxb6Q%40mail.gmail.com.