Anonymous iframes give developers a way to load documents in third party iframes using new and ephemeral contexts. Anonymous iframes are a generalization of COEP credentialless to support 3rd party iframes that may not deploy COEP. Like with COEP credentialless, we replace the opt-in of cross-origin subresources by avoiding to load non-public resources. This will remove the constraint that 3rd party iframes must support COEP in order to be embedded in a COEP page and will unblock developers looking to adopt cross-origin-isolation. This way, developers using COEP can now embed third party iframes that do not.
The main risk is that anonymous iframes fail to become an interoperable part of the web platform if other browsers do not implement the API.
None.
We are going to publish a blog post: We don't expect developers having difficulties using is as-is. It only requires adding the "anonymous" attribute to <iframe>.
See the threat model doc: https://wicg.github.io/anonymous-iframe/#security http://go/anonymous-iframe-threat-model
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
No risks identified. This is platform independent. WebView is not an exception.
- Double check the feature makes sense given large developers like Google Ads and Zoom. - Confirm this resolves the difficulties deploying COEP and understand any limitations. - Get feedback about the shape of the API. - Understand if developers need additional APIs to use it. For instance: https://github.com/w3ctag/design-reviews/issues/742 or others.
None
Anonymous iframes were designed to avoid breaking iframes. They do not introduce new kinds of failures. In the devtool issue explaining an iframe was blocked by COEP, Anonymous iframes will be suggested as a potential solution. The JS API: `window.isAnonymouslyFramed` already reflects whether a document is embedded inside an anonymous iframe or not. This is not reflected in devtool yet, but it could be in the future, if we think this is worth it.
This is a web platform feature. Consistent behavior among all the platforms is important.
OriginTrial desktop last | 108 |
OriginTrial desktop first | 106 |
DevTrial on desktop | 105 |
OriginTrial Android last | 108 |
OriginTrial Android first | 106 |
DevTrial on Android | 105 |
OriginTrial webView last | 108 |
OriginTrial webView first | 106 |
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH7Q68XZAyZh9cVWOVV03Df8p1e-g7bTHWgUpDvXpgFCt6z0LQ%40mail.gmail.com.