Intent to Prototype: COOP: restrict-properties

279 views
Skip to first unread message

Arthur Hemery

unread,
Jul 12, 2022, 10:01:44 AM7/12/22
to blink-dev

Contact emails

ahe...@chromium.org

Explainer

https://github.com/hemeryar/explainers/blob/main/coop_restrict_properties.md

Specification

https://github.com/whatwg/html/issues/6364

Summary

Cross-Origin-Opener-Policy is used to sever the relationship between popup and openers, to increase security. "restrict-properties" is a proposed value that restricts the relationship instead of completely severing it. It would enable crossOriginIsolated when paired with COEP.


Blink component

Blink>SecurityFeature>COOP

Motivation

Developers that want their website to be crossOriginIsolated currently need to give up all relationships with popups. This makes it impossible for websites that use SSO, payments or other APIs that function via popups to be crossOriginIsolated. For these websites, we propose a new COOP value, "restrict-properties" that allows communication via postMessage and closed, while enabling crossOriginIsolated.



Initial public proposal

https://github.com/whatwg/html/issues/6364

TAG review


TAG review status

Pending

Risks


Interoperability and Compatibility

Gecko: Firefox would like to see more developer feedback to ensure this solution suits their needs.

WebKit: No signal

Web developers: No signal 

Other signals: Positive feedback on the explainer from Zoom and Meta.

WebView application risks

None.



Debuggability

The new value will be plugged into COOP reporting to help developers understand the impact on their site. 

Is this feature fully tested by web-platform-tests?

Yes under html/cross-origin-opener-policy/tentative/restrict-properties


Requires code in //chrome?

False

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1221127

Estimated milestones

106 for OT.


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5072630953017344

This intent message was generated by Chrome Platform Status.

Alexander Timin

unread,
Jul 25, 2022, 10:54:42 AM7/25/22
to Arthur Hemery, blink-dev
Chiming in with my web-developer hat on:

This is something that I'd really like to see for the ui.perfetto.dev. The requirements we have there are:

a) we rely on cross-origin postMessage for opening traces from multiple dashboards (ui.perfetto.dev is responsible for displaying arbitrary Perfetto traces while the dashboards are responsible for fetching the specific trace from the storage. Then the dashboard window.open's ui.perfetto.dev and uses postMessage to inject the trace contents. Using POST data is not an option for us there as we want to ensure that the trace itself isn't sent to ui.perfetto.dev).

b) we want high-resolution timers for the ui.perfetto.dev (to be able to measure and profile performance issues).

COOP: same-origin breaks the requirement a), however, COOP: restrict-properties should solve the problems, so I'm very excited about this coming.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAF07A2Uw-Oh0d7ktTPnV%3D8TTrr%2BNcTgfiLxzFd2P2QLD18qNsw%40mail.gmail.com.
Reply all
Reply to author
Forward
0 new messages