Contact emails
va...@chromium.com, bi...@chromium.org, bbu...@chromium.org
Summary
SABs are currently disabled in Chrome on Android. As COOP/COEP have been released we can use ‘self.crossOriginIsolated’ to re-enable SABs on Android in case the site is isolated. This I2P is only targeting Android; other platforms are not affected by the change. The broader plan is outlined in: https://groups.google.com/a/chromium.org/g/blink-dev/c/_0MEXs6TJhg
If a document is cross-origin isolated:
* globalThis.crossOriginIsolated will return true.
* globalThis.SharedArrayBuffer will no longer return undefined.
* postMessage() can be used to message SharedArrayBuffer objects: https://github.com/whatwg/html/issues/4732, https://github.com/whatwg/html/pull/4734
* Agent clusters within a cross-origin isolated browsing context group are keyed on origin rather than site: this means that
1) shared memory is bound to a single origin (postMessage()’ing elsewhere results in a message error)
2) document.domain is ineffective
Motivation
As part of our response to side-channel attacks like Spectre, Chromium disabled SharedArrayBuffer globally, and then re-enabled it on platforms where we could comfortably deploy Site Isolation. Since then, we've been working through new isolation primitives in collaboration with other browser vendors that we believe will enable us to safely re-enable SharedArrayBuffers on all platforms. COOP and COEP have been shipped along with M83, and together allow developers to opt-into a "cross-origin isolated" state which substantially mitigates the risk that cross-origin data can accidentally flow into a process an attacker can poke at. Our plan is to enable SharedArrayBuffer on all platforms, only for pages that opt-into such protections.
Risks
Interoperability and Compatibility
For this intent no compatibility or interoperability risks as SABs are currently not available on Android at all.
Edge: No public signals
Firefox: Re-enable SABs on all platforms gated behind COOP/COEP in 79. https://groups.google.com/g/mozilla.dev.platform/c/-hYWoob95LI/m/k160l4k7AwAJ
Safari: No public signals
Web / Framework developers: No public signals
Debuggability
Feature detection for SABs will work and is handling the ‘self.crossOriginIsolated’ state correctly.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
No, the I2P is targeting Android only. SABs are already available on platforms where we could comfortably deploy Site Isolation. The plan is to migrate the usage of SABs on these platforms as well to make the feature accessible across all platforms (see: https://groups.google.com/a/chromium.org/g/blink-dev/c/_0MEXs6TJhg)
Is this feature fully tested by web-platform-tests?
Tests are in place, e.g
Link to entry on the feature dashboard
https://www.chromestatus.com/feature/4570991992766464 - SABs in generall
https://www.chromestatus.com/guide/edit/5171863141482496 - Re-Enable SABs on Android
Requesting approval to ship?
No
Lutz Vahl
Technical Program Manager
Google Germany GmbH
Erika-Mann-Strasse 36
80636 München
Geschäftsführer: Paul Manicle, Halimah DeLaine Prado
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Diese E-Mail ist vertraulich. Falls Sie diese fälschlicherweise erhalten haben sollten, leiten Sie diese bitte nicht an jemand anderes weiter, löschen Sie alle Kopien und Anhänge davon und lassen Sie mich bitte wissen, dass die E-Mail an die falsche Person gesendet wurde.
This e-mail is confidential. If you received this communication by mistake, please don't forward it to anyone else, please erase all copies and attachments, and please let me know that it has gone to the wrong person.
I am sure there will be much rejoicing when SAB is back everywhere so I wanted to see the plan.
/Daniel
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH0ixBPoUL-ueLj6pKD-PcL%2Bn-4ZFddOmfp%3D9SZEEqLMAMNEyA%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d0251efd-c63c-5064-0efa-3fc479d5a3c0%40gmail.com.