Intent to Prototype: Anonymous iframes

282 views
Skip to first unread message

Camille Lamy

unread,
May 21, 2021, 8:56:30 AM5/21/21
to blink-dev

Contact emails

cl...@chromium.org

Explainer

https://github.com/camillelamy/explainers/blob/master/anonymous_iframes.md

Specification

None

Summary

Anonymous iframes allow to load documents in a COEP page, even if the documents haven't deployed COEP. To make this safe, anonymous iframes cannot use existing credentials and shared storage for their origin. Unlike sandboxed frames, they can use storage APIs and register cookies. However, those credentials and storage can only be shared by documents in anonymous iframes in the page (provided they meet origin restrictions). They will no longer be accessible once the page has navigated.



Blink component

Blink>SecurityFeature

Motivation

Sites that wish to continue using SharedArrayBuffer must opt-into cross-origin isolation. Among other things, cross-origin isolation will block the use of cross-origin resources and documents unless those resources opt-into inclusion via either CORS or CORP. This behavior ships today in Firefox, and Chrome aims to ship it as well in Chrome 92. The opt-in requirement is generally positive, as it ensures that developers have the opportunity to adequately evaluate the rewards of being included cross-site against the risks of potential data leakage via those environments. It poses adoption challenges, however, as it does require developers to adjust their servers to send an explicit opt-in. This is challenging in cases where there's not a single developer involved, but many. Google Ads, for example, includes third-party content, and it seems somewhat unlikely that they'll be able to ensure that all the ads creators will do the work to opt-into being loadable. It seems clear that adoption of any opt-in mechanism is going to be limited. From a deployment perspective (especially with an eye towards changing default behaviors), it would be ideal if we could find an approach that provided robust-enough protection against accidental cross-process leakage without requiring an explicit opt-in.



Initial public proposal

https://github.com/camillelamy/explainers/blob/master/anonymous_iframes.md

TAG review

https://github.com/w3ctag/design-reviews/issues/639

TAG review status

Pending

Risks



Interoperability and Compatibility



Gecko: No signal

WebKit: No signal

Web developers: No signals


Is this feature fully tested by web-platform-tests?

No

Flag name

None

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1211800

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5729461725036544

This intent message was generated by Chrome Platform Status.
Reply all
Reply to author
Forward
0 new messages