Document-Isolation-Policy allows a document to enable crossOriginIsolation for itself, without having to deploy COOP or COEP, and regardless of the crossOriginIsolation status of the page. The policy is backed by process isolation. Additionally, the document non-CORS cross-origin subresources will either be loaded without credentials or will need to have a CORP header.
Developers want to build applications that are fast using SharedArrayBuffers (SAB), which can improve computation time by ~40%. But SharedArrayBuffers allow to create high-precision timers that can be exploited in a Spectre attack, allowing to leak cross-origin user data. To mitigate the risk, SharedArrayBuffers are gated behind crossOriginIsolation (COI). CrossOriginIsolation requires to deploy both Cross-Origin-Opener-Policy (COOP) and Cross-Origin-Embedder-Policy (COEP). Both have proven hard to deploy, COOP because it prevents communication with cross-origin popups, and COEP because it imposes restrictions on third-party embeds. Finally, the whole COOP + COEP model is focused on providing access to SharedArrayBuffers to the top-level frame. Cross-origin embeds can only use SABs if their embedder deploys crossOriginIsolation and delegates the permission to use COI-gated APIs, making the availability of SABs in third-party iframes very unreliable. Document-Isolation-Policy, is proposing to solve these deployment concerns by relying on the browser Out-of-Process-Iframe capability. It will provide a way to securely build fast applications using SharedArrayBuffers while maintaining communication with cross-origin popups and not requiring extra work to embed cross-origin iframes. Finally, it will be available for embedded widgets.
None
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
None
No milestones specified
The Document-Isolation-Policy proposal relies on agent cluster keying to achieve isolation, instead of browsing context group switches. This means that it introduces a situation where two same-origin documents might find themselves in different agent clusters and be unable to have DOM access to each other. This is unprecedented in the HTML spec.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMKsNvp7Xcgz%3DcMXJ7%2B%2BBgwhO2wOKEkaMiDk_wUY1nprvPG4HQ%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH%2B8MBZfpRCRsQMqvjy8NPmo9_v8WQcdu%3Ds06%2BVWb6a17dQ-jw%40mail.gmail.com.
My understanding is that at least this behavior is deterministic, right? That is, either the same-origin frames will be able to script each other or they won't and this will happen consistently (based on the agent cluster key).
An observation I had is that it seems that the Document-Isolation-Policy is still at the mercy of the platform having the resources to process-isolate frames.
Also I'm not sure if it would be possible for 3p iframes to starve platform of such resources so that the top level frame would no longer be able to create 1p frames that have access to COI-gated APIs
My understanding is that at least this behavior is deterministic, right? That is, either the same-origin frames will be able to script each other or they won't and this will happen consistently (based on the agent cluster key).Yes, I think it would be deterministic based on the headers, so hopefully education via error messages would help.An observation I had is that it seems that the Document-Isolation-Policy is still at the mercy of the platform having the resources to process-isolate frames.Camille can probably confirm the details, but I believe that's right. COOP+COEP depends on the platform being able to open a new window in a different process, which I think all platforms but Android WebView can support at this point (?). Document-Isolation-Policy would depend on out-of-process iframes, which wouldn't work on Android WebView or iOS, at least for the time being. On platforms that do support out-of-process iframes, it would make crossOriginIsolated modes much easier to adopt, though.
Also I'm not sure if it would be possible for 3p iframes to starve platform of such resources so that the top level frame would no longer be able to create 1p frames that have access to COI-gated APIsIIUC, I think each origin is limited in the number of processes it could create in a given page (basically one with SAB access and one without), which helps.
I seem to recall that Android Chrome is also limited here, but maybe that has changed and my knowledge is outdated.
Charlie
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMKsNvp7Xcgz%3DcMXJ7%2B%2BBgwhO2wOKEkaMiDk_wUY1nprvPG4HQ%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
Yes the user agent keying is deterministic, and we're adding reporting to warn developers if they end up having two same origin documents that could normally have DOM access but can't due to Document-Isolation-Policy.
Our recommendation would be to adopt the header on all documents of an origin, which removes the concerns around script access. As a followup, we might resurrect the Origin-Policy work to help with this issue.
Charlie
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMKsNvp7Xcgz%3DcMXJ7%2B%2BBgwhO2wOKEkaMiDk_wUY1nprvPG4HQ%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH%2B8MBZfpRCRsQMqvjy8NPmo9_v8WQcdu%3Ds06%2BVWb6a17dQ-jw%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1db78c8e-0672-4f62-ac3e-22cb614ca2a6n%40chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohS%2BzyOX6amnva6t_HBsXPXAFoZEri7A78ka7-OwA66B%3Dmw%40mail.gmail.com.
There is a huge demand for protecting data that's shared with users Any help in strong binding data to origin and blocking sharing would a big win.
thx ..Tom (mobile)On Mon, Apr 8, 2024, 1:20 AM Yoav Weiss (@Shopify) <yoav...@chromium.org> wrote:This is very interesting!Do I understand correctly and the main reason this would be easier to deploy is because embedded iframes and popups won't need to deploy COEP in this model?
Charlie
Blink componentBlink>SecurityFeature
MotivationDevelopers want to build applications that are fast using SharedArrayBuffers (SAB), which can improve computation time by ~40%. But SharedArrayBuffers allow to create high-precision timers that can be exploited in a Spectre attack, allowing to leak cross-origin user data. To mitigate the risk, SharedArrayBuffers are gated behind crossOriginIsolation (COI). CrossOriginIsolation requires to deploy both Cross-Origin-Opener-Policy (COOP) and Cross-Origin-Embedder-Policy (COEP). Both have proven hard to deploy, COOP because it prevents communication with cross-origin popups, and COEP because it imposes restrictions on third-party embeds. Finally, the whole COOP + COEP model is focused on providing access to SharedArrayBuffers to the top-level frame. Cross-origin embeds can only use SABs if their embedder deploys crossOriginIsolation and delegates the permission to use COI-gated APIs, making the availability of SABs in third-party iframes very unreliable. Document-Isolation-Policy, is proposing to solve these deployment concerns by relying on the browser Out-of-Process-Iframe capability. It will provide a way to securely build fast applications using SharedArrayBuffers while maintaining communication with cross-origin popups and not requiring extra work to embed cross-origin iframes. Finally, it will be available for embedded widgets.
Initial public proposalhttps://github.com/WICG/proposals/issues/145
TAG reviewNone
TAG review statusPending
Risks
Interoperability and CompatibilityNone
Gecko: No signal
WebKit: No signal
Web developers: No signals
Other signals:
WebView application risksDoes this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
DebuggabilityNone
Is this feature fully tested by web-platform-tests?No
Flag name on chrome://flagsNone
Finch feature nameNone
Non-finch justificationNone
Requires code in //chrome?False
Estimated milestonesNo milestones specified
Link to entry on the Chrome Platform Statushttps://chromestatus.com/feature/5141940204208128?gate=5097535879512064
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMKsNvp7Xcgz%3DcMXJ7%2B%2BBgwhO2wOKEkaMiDk_wUY1nprvPG4HQ%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH%2B8MBZfpRCRsQMqvjy8NPmo9_v8WQcdu%3Ds06%2BVWb6a17dQ-jw%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/1db78c8e-0672-4f62-ac3e-22cb614ca2a6n%40chromium.org.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
I'm not sure same-origin isolation won't end up being a desired feature on its own. I heard developers asking for stronger isolation primitives on more than one occasion. I'll talk to folks and think about it some more.