Intent to Prototype: COEP reflection API

50 views
Skip to first unread message

Arthur Sonzogni

unread,
May 31, 2022, 8:59:20 AM5/31/22
to blin...@chromium.org

Contact emails

arthurs...@google.com

Explainer

https://github.com/ArthurSonzogni/coep-reflection

Specification

https://github.com/whatwg/html/pull/7948

Design docs

https://github.com/ArthurSonzogni/coep-reflection

Summary

Add the API: `self.crossOriginEmbedderPolicy` It reflects the environment's cross-origin-embedder-policy's value. The possible values are: 'unsafe-none', 'credentialless', and 'require-corp'.



Blink component

Blink>SecurityFeature>COEP

Motivation

Depending on the Cross-Origin-Embedder-Policy value, not every iframe/subresources can be loaded inside the document. If this reflection API is provided, 3rd party scripts can make better decisions. They can implement appropriate fallbacks. In particular, for trying Anonymous Iframe, Google DisplayAds, needs a way to know the COEP policy. The Ads's script could this way be able to decide in between inserting a normal or an anonymous iframe.



Initial public proposal

https://github.com/whatwg/html/issues/7912

Search tags

coepcross-origin-embedder-policyreflection

TAG review

https://github.com/w3ctag/design-reviews/issues/742

TAG review status

Pending

Risks


Interoperability and Compatibility

This is a new API. The main risk is that it fails to become an interoperable part of the web platform if other browsers do not implement it.



Gecko: No signal

WebKit: No signal

Web developers: No signals

Other signals:

Activation

This is a read only attribute, constant for the whole lifetime of the environment. I don't expect difficulties using it. On web browser implementations not supporting it, it will return `undefined`.



Security

It is already possible to deduce the value returned by the API, by making a no-cors `fetch` request toward a known cross-origin URL whose response depends on the request's cookies and omit the CORP headers. It is a bit costly, but theoretically polyfillable. As such, it should be a security/privacy no-op.



WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None. COEP reflection is independent from the platform.



Debuggability

It was already exposed to devtool via Application > Frames > top > Security & Isolation > Cross-Origin Embedder Policy (COEP) Nothing new is needed/planned.



Is this feature fully tested by web-platform-tests?

Yes

Flag name

--enable-blink-features=CoepReflection

Requires code in //chrome?

False

Tracking bug

https://crbug.com/1324521

Estimated milestones

No milestones specified



Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5074103873568768

This intent message was generated by Chrome Platform Status.
Reply all
Reply to author
Forward
0 new messages