Intent to Ship: noopener-allow-popups COOP value

168 views
Skip to first unread message

Yoav Weiss (@Shopify)

unread,
Sep 16, 2024, 3:23:09 AMSep 16
to blink-dev

Contact emails

yoav...@chromium.org

Explainer

https://gist.github.com/yoavweiss/c7b61e97e6f8d207be619f87ab96ead5

Specification

https://github.com/whatwg/html/pull/10394

The PR hasn't landed yet, but I believe it is ready to land (% potential nits).
I'm not aware of any open issues.

Summary

Some origins can contain different applications with different levels of security requirements. In those cases, it can be beneficial to prevent scripts running in one application from being able to open and script pages of another same-origin application. In such cases, it can be beneficial for a document to ensure its opener cannot script it, even if the opener document is a same-origin one. The `noopener-allow-popups` Cross-Origin-Opener-Policy value will allow documents to define that.



Blink component

Blink

TAG review

https://github.com/w3ctag/design-reviews/issues/964

TAG review status

Issues addressed

Risks



Interoperability and Compatibility

Compatibility risk: As this feature adds a new COOP value, it doesn't run a risk of colliding with existing values. Where we may see some risk is when developers start using this value in ways that would surprise other teams on their origins. (as they would no longer have scripting access to opened documents) I don't expect that to happen often, and if it would it's something that developers would find out at development time. So I don't expect that to impact users. Interoperability risk: WebKit's positive position makes me optimistic that I'd be able to land the feature there as well.



Gecko: No signal (https://github.com/mozilla/standards-positions/issues/1037)

WebKit: Support (https://github.com/WebKit/standards-positions/issues/360)

Web developers: No particular signals, other than the fact that Shopify is interested in this.

Other signals:

Security

No particular issues: https://gist.github.com/yoavweiss/3cb7283f56717f6dfe6da05009a27a65


The main risk is having developers over rely on the protections this would provide. Input from Chrome and Google security folks led to the inclusion of a spec note warning developers against it and indicating what else they'd need to do for more holistic isolation of same-origin documents from others.


I'm planning to add a similar note to developer-facing docs.


WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Debuggability

None



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

Yes

https://wpt.fyi/results/html/cross-origin-opener-policy/tentative/noopener/coop-noopener-allow-popups.https.html?label=experimental&label=master&aligned


The test doesn't pass on the bots as the feature is disabled using a base feature flag (and no runtime flag).


Flag name on chrome://flags

None

Finch feature name

CoopNoopenerAllowPopups

Requires code in //chrome?

False

Tracking bug

https://issues.chromium.org/issues/344963946

Measurement

https://chromestatus.com/metrics/feature/timeline/popularity/5029 https://chromestatus.com/metrics/feature/timeline/popularity/5030

Estimated milestones

Shipping on desktop131
Shipping on Android131
Shipping on WebView131


Anticipated spec changes

Open questions about a feature may be a source of future web compat or interop issues. Please list open issues (e.g. links to known github issues in the project for the feature specification) whose resolution may introduce web compat/interop risk (e.g., changing to naming or structure of the API in a non-backward-compatible way).


No open questions ATM.

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5163293877731328?gate=4905084336209920

Links to previous Intent discussions

Intent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSJj33d%3D0B0tNpD0qrYWzygx0i02bWdhbV3aSCgbjS3Ndw%40mail.gmail.com


This intent message was generated by Chrome Platform Status.

Alex Russell

unread,
Sep 18, 2024, 11:43:58 AMSep 18
to blink-dev, Yoav Weiss
LGTM1. Excited to see this happening.

Chris Harrelson

unread,
Sep 18, 2024, 11:44:34 AMSep 18
to Alex Russell, blink-dev, Yoav Weiss
LGTM2

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/24c89356-98aa-4503-83d1-a015c5ab7f1cn%40chromium.org.

Daniel Bratell

unread,
Sep 18, 2024, 11:50:06 AMSep 18
to Chris Harrelson, Alex Russell, blink-dev, Yoav Weiss

LGTM3

(Would be nice to have the PR landed, but it does look like it's just a post-vacation delay rather than any concerns so I will assume that it's landing Real Soon Now)

/Daniel

Reply all
Reply to author
Forward
0 new messages