Adds a reporting API to help developers deploy cross-origin opener policy.
This is a new feature.
This feature will be used with cross-origin opener policy, and often with cross-origin embedder policy (in particular, its reporting API).
The feature requires developers to properly set up a reporting endpoint. However it helps adoption of COOP by providing a report-only mode that developers can use to check that their websites will not break when enabling COOP.
The reporting API exposes that other pages tried to access cross-origin properties of the page.
This should help with COOP debuggability as DevTools will be able to hook in the same places as we send reports and use this to surface useful information to developers trying to enable COOP.
I want to chime in to say that the specification work on this feature has been exemplary. Camille's explainer and specification go into great detail on the very complicated spec "code paths" involved in intercepting the points where COOP can kick in. The spec then threads the appropriate reporting infrastructure through multiple layers of complex window-creation and access operations in the HTML Standard, terminating each one in a concrete report, with all the appropriate data included and appropriately security-sanitized.
As the HTML Standard editor who did the relevant reviews, I'm very happy with the quality of the result, and am confident that the result provides something which can be interoperably implemented. From what I understand, the web platform tests coverage is also quite high.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/MN2PR13MB3613029FA1E1B17C1877FFF0DFF30%40MN2PR13MB3613.namprd13.prod.outlook.com.
Contact emails
cl...@chromium.orgExplainer
https://github.com/camillelamy/explainers/blob/master/coop_reporting.mdSpecification
https://html.spec.whatwg.org/multipage/origin.html#reportingDesign docs
https://github.com/camillelamy/explainers/blob/master/coop_reporting.mdSummary
Adds a reporting API to help developers deploy cross-origin opener policy.
Blink component
Blink>SecurityFeatureSearch tags
COOP, COOP reportingTAG review
https://github.com/w3ctag/design-reviews/issues/527TAG review status
Issues addressedRisks
Interoperability and Compatibility
This is a new feature.
Gecko: Positive (https://github.com/whatwg/html/pull/5518) annevk on the spec pull request: "I think I said before that Firefox is supportive of reporting for COOP and COEP, though it's not a priority for us."
WebKit: No signal
Web developers: Positive Facebook has been successfully using the reporting API in Origin Trial to deploy COOP on their properties.Ergonomics
This feature will be used with cross-origin opener policy, and often with cross-origin embedder policy (in particular, its reporting API).
Activation
The feature requires developers to properly set up a reporting endpoint. However it helps adoption of COOP by providing a report-only mode that developers can use to check that their websites will not break when enabling COOP.
Security
The reporting API exposes that other pages tried to access cross-origin properties of the page.
Debuggability
This should help with COOP debuggability as DevTools will be able to hook in the same places as we send reports and use this to surface useful information to developers trying to enable COOP.
Is this feature fully tested by web-platform-tests?
YesTracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=1059303Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5755687994916864Links to previous Intent discussions
Intent to prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/h5s3SMpF8QI/m/TkukMVyTAgAJThis intent message was generated by Chrome Platform Status.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMKsNvp8GKq%2BnjWc%3DF8As94o2e9%2BfM2Dk0j5khG4tsouF7iuTQ%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/9496bc6e-2e8c-429f-975f-42fbf6935630n%40chromium.org.
On behalf of Facebook Security team, I'd also like to say that I'm looking forward to moving cross-origin opener policy out of origin trial. We've been experimenting with this feature already on facebook.com and instragram.com and the reporting is incredibly useful feature for us as it allows us to reliably roll out COOP at scale. Since other browsers haven't offered similar functionality yet, it's essentially the only way we can test the impact of COOP enforcement without breaking our sites.