Intent to Prototype: noopener-allow-popups COOP value

117 views
Skip to first unread message

Yoav Weiss (@Shopify)

unread,
Jun 5, 2024, 5:47:36 AMJun 5
to blink-dev

Contact emails

yoav...@chromium.org

Explainer

https://gist.github.com/yoavweiss/c7b61e97e6f8d207be619f87ab96ead5

Specification

https://github.com/whatwg/html/pull/10394

Summary

Some origins can contain different applications with different levels of security requirements. In those cases, it can be beneficial to prevent scripts running in one application from being able to open and script pages of another same-origin application. In such cases, it can be beneficial for a document to ensure its opener cannot script it, even if the opener document is a same-origin one. The `noopener-allow-popups` Cross-Origin-Opener-Policy value will allow documents to define that.



Blink component

Blink

TAG review

https://github.com/w3ctag/design-reviews/issues/964

TAG review status

Pending

Risks



Interoperability and Compatibility

Compatibility risk: As this feature adds a new COOP value, it doesn't run a risk of colliding with existing values. Where we may see some risk is when developers start using this value in ways that would surprise other teams on their origins. (as they would no longer have scripting access to opened documents) I don't expect that to happen often, and if it would it's something that developers would find out at development time. So I don't expect that to impact users. Interoperability risk: Too early to tell as positions/PR was just filed.



Gecko: No signal (https://github.com/mozilla/standards-positions/issues/1037)

WebKit: No signal (https://github.com/WebKit/standards-positions/issues/360)

Web developers: No signals

Other signals:

Security

WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Goals for experimentation



Ongoing technical constraints

None



Debuggability

None



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

Yes

Is this feature fully tested by web-platform-tests?

It will be: https://chromium-review.googlesource.com/c/chromium/src/+/5581251/8/third_party/blink/web_tests/external/wpt/html/cross-origin-opener-policy/coop-noopener-allow-popups.https.html



Flag name on chrome://flags

None

Finch feature name

None

Non-finch justification

None

Requires code in //chrome?

False

Tracking bug

https://issues.chromium.org/issues/344963946

Estimated milestones

No milestones specified



Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5163293877731328

This intent message was generated by Chrome Platform Status.

Reply all
Reply to author
Forward
0 new messages