Intent to Experiment: Cross-origin opener policy reporting API
90 views
Skip to first unread message
Camille Lamy
Aug 12, 2020, 10:18:48 AM8/12/20
to blink-dev
Contact emails
cl...@chromium.orgExplainer
https://github.com/camillelamy/explainers/blob/master/coop_reporting.mdSpecification
https://github.com/whatwg/html/pull/5518Design docs
https://docs.google.com/document/d/1H8Be0w27fKPXKqyuJj9oEqIJEjB9Rw5AP3x-w-Fx2Zg/edit#heading=h.6a92f2gfl9le
TAG review
https://github.com/w3ctag/design-reviews/issues/527Summary
Adds a reporting API to help developers deploy cross-origin opener policy.Link to “Intent to Prototype” blink-dev discussion
https://groups.google.com/a/chromium.org/g/blink-dev/c/h5s3SMpF8QI/m/TkukMVyTAgAJRisks
Interoperability and Compatibility
This is a new feature.Gecko: No signal
WebKit: No signal
Web developers: No signals
Ergonomics
This feature will be used with cross-origin opener policy, and often with cross-origin embedder policy (in particular, its reporting API).Activation
The feature requires developers to properly set up a reporting endpoint. However it helps adoption of COOP by providing a report-only mode that developers can use to check that their websites will not break when enabling COOP.Security
The reporting API exposes that other pages tried to access cross-origin properties of the page.Goals for experimentation
We want to gather feedback on whether the proposed data in the reports is helpful to developers to debug bugs with COOP.Experimental timeline
M86Reason this experiment is being extended
Ongoing technical constraints
None.Debuggability
This should help with COOP debuggability as DevTools will be able to hook in the same places as we send reports and use this to surface useful information to developers trying to enable COOP.Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
No All platforms will be supported except Android WebView. The underlying COOP feature requires multiple renderer processes which Android WebView cannot provide.Is this feature fully tested by web-platform-tests?
No We plan on fully testing this feature using WebPlatform tests. Our tests are part of the cross-origin opener policy suite (tests marked as reporting), and we are currently expending them. https://wpt.fyi/results/html/cross-origin-opener-policy?label=experimental&label=master&alignedLink to entry on the Chrome Platform Status
https://chromestatus.com/feature/5755687994916864
Yoav Weiss
Aug 13, 2020, 5:46:37 AM8/13/20
to Camille Lamy, Eiji Kitamura, blink-dev
LGTM to experiment.
Reporting seems essential to convince web properties that they can actually deploy COOP without breaking the site for their users.
On Wed, Aug 12, 2020 at 4:18 PM Camille Lamy <cl...@chromium.org> wrote:
Contact emails
cl...@chromium.orgExplainer
https://github.com/camillelamy/explainers/blob/master/coop_reporting.mdSpecification
https://github.com/whatwg/html/pull/5518Design docs
https://docs.google.com/document/d/1H8Be0w27fKPXKqyuJj9oEqIJEjB9Rw5AP3x-w-Fx2Zg/edit#heading=h.6a92f2gfl9le
TAG review
https://github.com/w3ctag/design-reviews/issues/527
I was going to ask about the choice of using a separate header, but luckily, the TAG already did and the answer there makes sense.
Summary
Adds a reporting API to help developers deploy cross-origin opener policy.Link to “Intent to Prototype” blink-dev discussion
https://groups.google.com/a/chromium.org/g/blink-dev/c/h5s3SMpF8QI/m/TkukMVyTAgAJRisks
Interoperability and Compatibility
This is a new feature.
Gecko: No signal
WebKit: No signal
Now seems like a good time to be asking for signals
Web developers: No signals
While gathering web developer signals can be harder, might be good to try.
For example, +Eiji Kitamura may have heard things as a response to https://web.dev/coop-coep/. (or may have other ideas)
Ergonomics
This feature will be used with cross-origin opener policy, and often with cross-origin embedder policy (in particular, its reporting API).Activation
The feature requires developers to properly set up a reporting endpoint. However it helps adoption of COOP by providing a report-only mode that developers can use to check that their websites will not break when enabling COOP.Security
The reporting API exposes that other pages tried to access cross-origin properties of the page.Goals for experimentation
We want to gather feedback on whether the proposed data in the reports is helpful to developers to debug bugs with COOP.Experimental timeline
M86Reason this experiment is being extended
Ongoing technical constraints
None.Debuggability
This should help with COOP debuggability as DevTools will be able to hook in the same places as we send reports and use this to surface useful information to developers trying to enable COOP.Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
No All platforms will be supported except Android WebView. The underlying COOP feature requires multiple renderer processes which Android WebView cannot provide.Is this feature fully tested by web-platform-tests?
No We plan on fully testing this feature using WebPlatform tests. Our tests are part of the cross-origin opener policy suite (tests marked as reporting), and we are currently expending them. https://wpt.fyi/results/html/cross-origin-opener-policy?label=experimental&label=master&alignedLink to entry on the Chrome Platform Status
https://chromestatus.com/feature/5755687994916864
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAMKsNvoM60biLy8O7GXoi8uJukK4GumJzCFFxOcYL0JkAnVmCw%40mail.gmail.com.
Artur Janc
Aug 13, 2020, 9:33:47 AM8/13/20
to blink-dev, yo...@yoav.ws, blink-dev, cl...@chromium.org, Eiji Kitamura
I'm certainly biased since I've been helping shape this API somewhat, but I can provide signal on behalf of the Google security team that we're definitely interested in, and blocked on, COOP reporting being available (see e.g. https://twitter.com/we1x/status/1293861189068390401). We've heard similar rumblings from security engineers at Facebook where AFAIK they're enforcing COOP for internal users, but are waiting on reporting data to do it in production. My guess is that other application owners who care about XS-Leaks are in a similar boat.
Cheers,
-Artur
Reply all
Reply to author
Forward
0 new messages