Intent to Prototype: noopener-allow-popups COOP value
Yoav Weiss (@Shopify)
Contact emails
yoav...@chromium.org
Explainer
https://gist.github.com/yoavweiss/c7b61e97e6f8d207be619f87ab96ead5
Specification
https://github.com/whatwg/html/pull/10394
Summary
Some origins can contain different applications with different levels of security requirements. In those cases, it can be beneficial to prevent scripts running in one application from being able to open and script pages of another same-origin application. In such cases, it can be beneficial for a document to ensure its opener cannot script it, even if the opener document is a same-origin one. The `noopener-allow-popups` Cross-Origin-Opener-Policy value will allow documents to define that.
Blink component
Blink
TAG review
https://github.com/w3ctag/design-reviews/issues/964
TAG review status
Pending
Risks
Interoperability and Compatibility
Compatibility risk:
As this feature adds a new COOP value, it doesn't run a risk of colliding with existing values.
Where we may see some risk is when developers start using this value in ways that would surprise other teams on their origins. (as they would no longer have scripting access to opened documents)
I don't expect that to happen often, and if it would it's something that developers would find out at development time. So I don't expect that to impact users.
Interoperability risk: Too early to tell as positions/PR was just filed.
Gecko: No signal (https://github.com/mozilla/standards-positions/issues/1037)
WebKit: No signal (https://github.com/WebKit/standards-positions/issues/360)
Web developers: No signals
Other signals:
Compatibility risk: As this feature adds a new COOP value, it doesn't run a risk of colliding with existing values. Where we may see some risk is when developers start using this value in ways that would surprise other teams on their origins. (as they would no longer have scripting access to opened documents) I don't expect that to happen often, and if it would it's something that developers would find out at development time. So I don't expect that to impact users. Interoperability risk: Too early to tell as positions/PR was just filed.
Gecko: No signal (https://github.com/mozilla/standards-positions/issues/1037)
WebKit: No signal (https://github.com/WebKit/standards-positions/issues/360)
Web developers: No signals
Other signals:
Security
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
Goals for experimentation
Ongoing technical constraints
None
Debuggability
None
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?
Yes
Is this feature fully tested by web-platform-tests?
Flag name on chrome://flags
None
Finch feature name
None
Non-finch justification
None
Requires code in //chrome?
False
Tracking bug
https://issues.chromium.org/issues/344963946
Estimated milestones
No milestones specified