Intent to Extend Origin Trial: Trial for SharedArrayBuffers in non-isolated pages on Desktop platforms

379 views
Skip to first unread message

Lutz Vahl

unread,
Apr 27, 2022, 9:04:18 AM4/27/22
to blink-dev, Camille Lamy

Contact emails

va...@chromium.org cl...@chromium.org


Explainer

https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k


Specification

https://tc39.github.io/ecma262/#sec-sharedarraybuffer-objects


Design docs Including the new security requirements

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer

Discussion how and what to gate

https://github.com/whatwg/html/issues/4732


Summary

‘SharedArrayBuffers’ (SABs) on desktop platforms are restricted to cross-origin isolated environments, matching the behavior we've recently shipped on Android and Firefox. We've performed that change in Chrome 92. A reverse OT was started to give developers the option to use SABs in case they are not able to adopt cross origin isolation yet.

We’ve received lot’s of feedback that adopting COOP/COEP is hard (details below). Therefore I’m asking for your approval to extend the SAB reverse OT again from M103 until M113 (branch point 2023-03-23). This is an estimation - Can we come back to y'all in 6 months with a report on progress and usage to justify that extension and agree on the final milestone?


Experimental timeline / plan for all new capabilities needed to replace the OT

The SAB restriction in M92 went smoothly without any major issues in the wild because we offered the reverse OT. We’ve received lots of feedback that adopting COOP/COEP is hard and sometimes impossible. Therefore the reverse OT is currently the only way to enable SABs for some sites within Chromium. Chromestatus is showing that SABs in none COI context are being used on ~0.36% page loads.


To overcome this limitation and make adoption possible more broadly (public feedback), we’re working on multiple solutions (all shared timelines are WIP):


  1. COEP:credentialless - https://crbug.com/1218896

COEP:credentialless causes no-cors cross-origin requests not to include

credentials (cookies, client certificates, etc...). Similarly to require-corp, it can be used to enable cross-origin-isolation. Some developers are blocked on a set of dependencies which don't yet assert that they're safe to embed in cross-origin isolated environments. 

This mechanism was shipped in M96. (Adoption is already at 0.02% of main pages)


  1. COI+popups (formally: COOP same-origin-allow-popups-plus-coep)

To allow crossOriginIsolated pages to use popup-based OAuth/payment flows, we plan to have COOP same-origin-allow-popups enable crossOriginIsolation when used in conjunction with COEP. Developers who depend on popups to 3P for e.g. identity or payment flows can’t currently deploy cross-origin-isolation.


Spec work is ongoing and we’re targeting Q2 2022 for the OT and Q3 for the shipping. As soon as the spec is defined, we’ll kick off the intent process. Without this all sites need to migrate to FedCM and WebPayment for their flows to be able to use SABs.



  1. Anonymous iframes

Anonymous iframes are a generalization of COEP credentialless to support 3rd party iframes that may not deploy COEP. Like with COEP credentialless, we replace the opt-in of cross-origin subresources by avoiding to load non-public resources. This will remove the constraint and will unblock developers to adopt cross-origin-isolation as soon as they’re embedding 3P iframes.


Based on the progress made for storage partitioning and CHIPs, which are needed to safely ship Anonymous iframes, we’re aiming to start the OT in Q2 2022 (M106) and the rollout in Q3 2022 (M110).


Blink component

Blink>JavaScript


Search tags

SharedArrayBuffer, SAB


TAG review

https://github.com/w3ctag/design-reviews/issues/471


TAG review status

Closed


Risks

Interoperability and Compatibility

We expect this change to negatively impact developers using `SharedArrayBuffer` today. Chrome was the only platform where SABs have been available without COOP/COEP. Therefore we need to give developers the right capabilities and a clear path forward to ensure they’ve enough time to adopt. We aim to mitigate these risks by adopting a longer-than-usual depreciation period with console warnings/issues and a reverse origin trial. 

Good news is usage is down to ~0.36% page loads and that other browsers have or are shipping SABs again gated behind COOP/COEP. Bad news is that Chromium was the only browser that supported SABs without COI, therefore we need to provide a migration path to not break existing sites such as Zoom or Google Earth.

Gecko: Shipped/Shipping (https://bugzilla.mozilla.org/show_bug.cgi?id=1312446)

WebKit: Added COOP/COEP and SAB support recently gated behind COOP/COEP


Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

No - This OT is only for desktop, as this was the only platform where SABs have been available without COOP/COEP.

Android re-enabled SABs gated behind COOP/COEP: https://chromestatus.com/feature/5171863141482496


Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1144104


Launch bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1138860


Blink-dev Thread

Planning isolation requirements (COOP/COEP) for SharedArrayBuffer

I2S


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/4570991992766464


Chris Harrelson

unread,
Apr 27, 2022, 11:14:09 AM4/27/22
to Lutz Vahl, blink-dev, Camille Lamy
On Wed, Apr 27, 2022 at 6:04 AM Lutz Vahl <va...@chromium.org> wrote:

Contact emails

va...@chromium.org cl...@chromium.org


Explainer

https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k


Specification

https://tc39.github.io/ecma262/#sec-sharedarraybuffer-objects


Design docs Including the new security requirements

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer

Discussion how and what to gate

https://github.com/whatwg/html/issues/4732


Summary

‘SharedArrayBuffers’ (SABs) on desktop platforms are restricted to cross-origin isolated environments, matching the behavior we've recently shipped on Android and Firefox. We've performed that change in Chrome 92. A reverse OT was started to give developers the option to use SABs in case they are not able to adopt cross origin isolation yet.

We’ve received lot’s of feedback that adopting COOP/COEP is hard (details below). Therefore I’m asking for your approval to extend the SAB reverse OT again from M103 until M113 (branch point 2023-03-23). This is an estimation - Can we come back to y'all in 6 months with a report on progress and usage to justify that extension and agree on the final milestone?


Experimental timeline / plan for all new capabilities needed to replace the OT

The SAB restriction in M92 went smoothly without any major issues in the wild because we offered the reverse OT. We’ve received lots of feedback that adopting COOP/COEP is hard and sometimes impossible. Therefore the reverse OT is currently the only way to enable SABs for some sites within Chromium. Chromestatus is showing that SABs in none COI context are being used on ~0.36% page loads.


This seems off by a factor of 10. The real number seems to be 0.036% or so, right? Can you highlight why it's important to extend for 10 more milestones for such a small percentage of traffic? Will the sites in question completely break for some reason, or just behave the same as in non-chromium browsers?
 
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH0ixBN2JhcYtpT4UYKcAfHt1e0Wz_Uxz0CkXcAntguhbmyNCA%40mail.gmail.com.

Lutz Vahl

unread,
Apr 27, 2022, 12:27:09 PM4/27/22
to Chris Harrelson, blink-dev, Camille Lamy
On Wed, Apr 27, 2022 at 5:14 PM Chris Harrelson <chri...@chromium.org> wrote:


On Wed, Apr 27, 2022 at 6:04 AM Lutz Vahl <va...@chromium.org> wrote:

Contact emails

va...@chromium.org cl...@chromium.org


Explainer

https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k


Specification

https://tc39.github.io/ecma262/#sec-sharedarraybuffer-objects


Design docs Including the new security requirements

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer

Discussion how and what to gate

https://github.com/whatwg/html/issues/4732


Summary

‘SharedArrayBuffers’ (SABs) on desktop platforms are restricted to cross-origin isolated environments, matching the behavior we've recently shipped on Android and Firefox. We've performed that change in Chrome 92. A reverse OT was started to give developers the option to use SABs in case they are not able to adopt cross origin isolation yet.

We’ve received lot’s of feedback that adopting COOP/COEP is hard (details below). Therefore I’m asking for your approval to extend the SAB reverse OT again from M103 until M113 (branch point 2023-03-23). This is an estimation - Can we come back to y'all in 6 months with a report on progress and usage to justify that extension and agree on the final milestone?


Experimental timeline / plan for all new capabilities needed to replace the OT

The SAB restriction in M92 went smoothly without any major issues in the wild because we offered the reverse OT. We’ve received lots of feedback that adopting COOP/COEP is hard and sometimes impossible. Therefore the reverse OT is currently the only way to enable SABs for some sites within Chromium. Chromestatus is showing that SABs in none COI context are being used on ~0.36% page loads.


This seems off by a factor of 10. The real number seems to be 0.036% or so, right? Can you highlight why it's important to extend for 10 more milestones for such a small percentage of traffic? Will the sites in question completely break for some reason, or just behave the same as in non-chromium browsers?
That's on me:  0.036% is correct!
Some sites use SAB to gain extra performance on chromium based browsers in some cases 3P content is using SABs. Some might work without the OT others will break based on how they identify their code path to be used.

The list of OT registrations is ~500 and most of them mentioned to be blocked by 3Ps to deploy COOP+COEP broadly.
We're happy to extend the OT to give them time to adopt. Do you (and/or other API owners) think this is not required based on the low usage?


Mike Taylor

unread,
Apr 28, 2022, 7:06:41 PM4/28/22
to Lutz Vahl, Chris Harrelson, blink-dev, Camille Lamy
On 4/27/22 12:26 PM, Lutz Vahl wrote:


On Wed, Apr 27, 2022 at 5:14 PM Chris Harrelson <chri...@chromium.org> wrote:


On Wed, Apr 27, 2022 at 6:04 AM Lutz Vahl <va...@chromium.org> wrote:

Contact emails

va...@chromium.org cl...@chromium.org


Explainer

https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k


Specification

https://tc39.github.io/ecma262/#sec-sharedarraybuffer-objects


Design docs Including the new security requirements

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer

Discussion how and what to gate

https://github.com/whatwg/html/issues/4732


Summary

‘SharedArrayBuffers’ (SABs) on desktop platforms are restricted to cross-origin isolated environments, matching the behavior we've recently shipped on Android and Firefox. We've performed that change in Chrome 92. A reverse OT was started to give developers the option to use SABs in case they are not able to adopt cross origin isolation yet.

We’ve received lot’s of feedback that adopting COOP/COEP is hard (details below). Therefore I’m asking for your approval to extend the SAB reverse OT again from M103 until M113 (branch point 2023-03-23). This is an estimation - Can we come back to y'all in 6 months with a report on progress and usage to justify that extension and agree on the final milestone?


Experimental timeline / plan for all new capabilities needed to replace the OT

The SAB restriction in M92 went smoothly without any major issues in the wild because we offered the reverse OT. We’ve received lots of feedback that adopting COOP/COEP is hard and sometimes impossible. Therefore the reverse OT is currently the only way to enable SABs for some sites within Chromium. Chromestatus is showing that SABs in none COI context are being used on ~0.36% page loads.


This seems off by a factor of 10. The real number seems to be 0.036% or so, right? Can you highlight why it's important to extend for 10 more milestones for such a small percentage of traffic? Will the sites in question completely break for some reason, or just behave the same as in non-chromium browsers?
That's on me:  0.036% is correct!
Some sites use SAB to gain extra performance on chromium based browsers in some cases 3P content is using SABs. Some might work without the OT others will break based on how they identify their code path to be used.

The list of OT registrations is ~500 and most of them mentioned to be blocked by 3Ps to deploy COOP+COEP broadly.
We're happy to extend the OT to give them time to adopt. Do you (and/or other API owners) think this is not required based on the low usage?

Looking at the use counter data, usage was around 0.17% when the last request to extend this deprecation trial was made (in Sept of '21). Since then, it seems like usage decreased quite a lot but has been basically flat since November of '21 when it was at 0.031% (it's looks to have grown a tiny bit to 0.037% as of April).

Do we know who the 3Ps are who are holding back migration for the rest, and what their plans are?

Steve Hoek

unread,
May 2, 2022, 10:53:25 AM5/2/22
to blink-dev, mike...@chromium.org, blink-dev, cl...@chromium.org, va...@chromium.org, Chris Harrelson
Does this metric count sites that have opted into the rOT?  My company has a web product hosted under dozens of domains that has the rOT registered for each one of them.  I don't see those domains in the top 156 list (admittedly a quick scan), so I wonder if it is only counting pages that try to create SAB without any isolation _and_ without the rOT   ?

In our case, we have a proprietary rendering engine that uses multiple threads in a WASM context which infers use of SAB.  Our login integrations with our partners fails in COOP/COEP enabled, as does other third party services we use on the site such as GA, FB, chat and feedback services, etc.

Credentialless has helped in some cases, but anonymous iframes is what we're hoping for to resolve the rest of the flows, but that feature seems to be a bit stuck and unmoving at the moment from what we can tell.

Thanks
-shoek

Arthur Sonzogni

unread,
May 3, 2022, 6:06:00 AM5/3/22
to blink-dev, Steve Hoek, Mike Taylor, blink-dev, Camille Lamy, Lutz Vahl, Chris Harrelson

Does this metric count sites that have opted into the rOT?  My company has a web product hosted under dozens of domains that has the rOT registered for each one of them.  I don't see those domains in the top 156 list (admittedly a quick scan), so I wonder if it is only counting pages that try to create SAB without any isolation _and_ without the rOT   ?

I believe, for privacy reason, websites are only shown after a sufficient feature usage threshold. This metrics do not count directly site that have opted into the rOT. See code location. It counts page using SharedArrayBuffer, without being crossOriginIsolated. Only website that have registered for the reverse OT can do this more or less. So, 0.036% is the amount of page that would break without the rOT. However, the rOT users are probably an order of magnitude larger.
 
Credentialless has helped in some cases, but anonymous iframes is what we're hoping for to resolve the rest of the flows, but that feature seems to be a bit stuck and unmoving at the moment from what we can tell.

Happy to hear COEP:credentialless helped for simple third party ressources! For iframes, anonymous iframe is moving and will be ready soon. We aim for a M106 OT.

Yoav Weiss

unread,
May 4, 2022, 6:26:00 AM5/4/22
to blink-dev, Arthur Sonzogni, Steve Hoek, Mike Taylor, blink-dev, Camille Lamy, Lutz Vahl, Chris Harrelson
It seems appropriate to keep the Deprecation Trial until we shipped alternatives, but I tend to agree with Chris that 10 milestones sounds like a lot. Maybe we can renew the Deprecation Trial for 6 milestones (till M109), and revisit that once it's close to expiry?

Lutz Vahl

unread,
May 4, 2022, 7:00:12 AM5/4/22
to Yoav Weiss, blink-dev, Arthur Sonzogni, Steve Hoek, Mike Taylor, Camille Lamy, Chris Harrelson
Great suggestion Yoav!
Let's agree to extend the OT for now until M109 (6x MS) and I'll report back as soon as we've a clearer timeline.
Does that work for other API owners as well?


--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.

Chris Harrelson

unread,
May 4, 2022, 12:41:05 PM5/4/22
to Lutz Vahl, blink-dev, Camille Lamy
The API owners met today and discussed this Intent.

Overall, I'd summarize as saying that I think the API owners would only be comfortable extending the origin trial by 3 milestones at this time. (We have not yet approved that extension however; first I'd like to wait for an answer to the followup question inline below).

After that time, if you wish to extend it further, you'll need to show substantial additional progress towards shipping. For me, substantial progress could include "we rolled out more of the mechanisms to make it easy to migrate", "the number of reverse OT participants dropped substially", or "the use counter and list of sites at risk reduced substantially".

On Wed, Apr 27, 2022 at 9:27 AM Lutz Vahl <va...@chromium.org> wrote:


On Wed, Apr 27, 2022 at 5:14 PM Chris Harrelson <chri...@chromium.org> wrote:


On Wed, Apr 27, 2022 at 6:04 AM Lutz Vahl <va...@chromium.org> wrote:

Contact emails

va...@chromium.org cl...@chromium.org


Explainer

https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k


Specification

https://tc39.github.io/ecma262/#sec-sharedarraybuffer-objects


Design docs Including the new security requirements

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer

Discussion how and what to gate

https://github.com/whatwg/html/issues/4732


Summary

‘SharedArrayBuffers’ (SABs) on desktop platforms are restricted to cross-origin isolated environments, matching the behavior we've recently shipped on Android and Firefox. We've performed that change in Chrome 92. A reverse OT was started to give developers the option to use SABs in case they are not able to adopt cross origin isolation yet.

We’ve received lot’s of feedback that adopting COOP/COEP is hard (details below). Therefore I’m asking for your approval to extend the SAB reverse OT again from M103 until M113 (branch point 2023-03-23). This is an estimation - Can we come back to y'all in 6 months with a report on progress and usage to justify that extension and agree on the final milestone?


Experimental timeline / plan for all new capabilities needed to replace the OT

The SAB restriction in M92 went smoothly without any major issues in the wild because we offered the reverse OT. We’ve received lots of feedback that adopting COOP/COEP is hard and sometimes impossible. Therefore the reverse OT is currently the only way to enable SABs for some sites within Chromium. Chromestatus is showing that SABs in none COI context are being used on ~0.36% page loads.


This seems off by a factor of 10. The real number seems to be 0.036% or so, right? Can you highlight why it's important to extend for 10 more milestones for such a small percentage of traffic? Will the sites in question completely break for some reason, or just behave the same as in non-chromium browsers?
That's on me:  0.036% is correct!
Some sites use SAB to gain extra performance on chromium based browsers in some cases 3P content is using SABs. Some might work without the OT others will break based on how they identify their code path to be used.

The list of OT registrations is ~500 and most of them mentioned to be blocked by 3Ps to deploy COOP+COEP broadly.
We're happy to extend the OT to give them time to adopt. Do you (and/or other API owners) think this is not required based on the low usage?

Thanks for this information. Can you also share some examples of specific sites you're concerned about breaking and how they would break?

Lutz Vahl

unread,
May 6, 2022, 4:29:45 AM5/6/22
to Chris Harrelson, blink-dev, Camille Lamy
Hi API owners,

CIL.
PLMK in case you've additional questions.

On Wed, May 4, 2022 at 6:41 PM Chris Harrelson <chri...@chromium.org> wrote:
The API owners met today and discussed this Intent.

Overall, I'd summarize as saying that I think the API owners would only be comfortable extending the origin trial by 3 milestones at this time. (We have not yet approved that extension however; first I'd like to wait for an answer to the followup question inline below).
Happy to report back after the M106 branch point if we were able to start the OTs of Anonymous iframes and COI+popups. We'll not be able to report any impact of the use counters on stable at that time.

After that time, if you wish to extend it further, you'll need to show substantial additional progress towards shipping. For me, substantial progress could include "we rolled out more of the mechanisms to make it easy to migrate", "the number of reverse OT participants dropped substially", or "the use counter and list of sites at risk reduced substantially".
In the current OT time frame we've shipped COEP:credentialless - so there was substantial progress made. Nevertheless two pieces are still missing to make the adoption possible in all cases where we're working on finalizing the spec and the implementations. +Camille Lamy Is able to share more about the complexities involved and why this is taking so long.

On Wed, Apr 27, 2022 at 9:27 AM Lutz Vahl <va...@chromium.org> wrote:


On Wed, Apr 27, 2022 at 5:14 PM Chris Harrelson <chri...@chromium.org> wrote:


On Wed, Apr 27, 2022 at 6:04 AM Lutz Vahl <va...@chromium.org> wrote:

Contact emails

va...@chromium.org cl...@chromium.org


Explainer

https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k


Specification

https://tc39.github.io/ecma262/#sec-sharedarraybuffer-objects


Design docs Including the new security requirements

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer

Discussion how and what to gate

https://github.com/whatwg/html/issues/4732


Summary

‘SharedArrayBuffers’ (SABs) on desktop platforms are restricted to cross-origin isolated environments, matching the behavior we've recently shipped on Android and Firefox. We've performed that change in Chrome 92. A reverse OT was started to give developers the option to use SABs in case they are not able to adopt cross origin isolation yet.

We’ve received lot’s of feedback that adopting COOP/COEP is hard (details below). Therefore I’m asking for your approval to extend the SAB reverse OT again from M103 until M113 (branch point 2023-03-23). This is an estimation - Can we come back to y'all in 6 months with a report on progress and usage to justify that extension and agree on the final milestone?


Experimental timeline / plan for all new capabilities needed to replace the OT

The SAB restriction in M92 went smoothly without any major issues in the wild because we offered the reverse OT. We’ve received lots of feedback that adopting COOP/COEP is hard and sometimes impossible. Therefore the reverse OT is currently the only way to enable SABs for some sites within Chromium. Chromestatus is showing that SABs in none COI context are being used on ~0.36% page loads.


This seems off by a factor of 10. The real number seems to be 0.036% or so, right? Can you highlight why it's important to extend for 10 more milestones for such a small percentage of traffic? Will the sites in question completely break for some reason, or just behave the same as in non-chromium browsers?
That's on me:  0.036% is correct!
Some sites use SAB to gain extra performance on chromium based browsers in some cases 3P content is using SABs. Some might work without the OT others will break based on how they identify their code path to be used.

The list of OT registrations is ~500 and most of them mentioned to be blocked by 3Ps to deploy COOP+COEP broadly.
We're happy to extend the OT to give them time to adopt. Do you (and/or other API owners) think this is not required based on the low usage?

Thanks for this information. Can you also share some examples of specific sites you're concerned about breaking and how they would break?
I've shared Zoom and Google Earth already in the original post. The breakage is based on a performance drop in case pThreads are not available any more. Therefore the page (or parts of it) came unusable.

Arthur Hemery

unread,
May 6, 2022, 5:58:00 AM5/6/22
to blink-dev, va...@chromium.org, blink-dev, cl...@chromium.org, Chris Harrelson
Hi everyone I just wanted to chime in as the current owner of the COI with popups effort. Spec discussions have been extremely long since the topic is complex and other vendors don't have the same incentive, since they've completely disabled SAB. We're working hard on making this move forward but some of it is out of our control. We're doing as much implementation work in advance as possible, so that once we agree with Firefox it goes promptly.

PS: If you're working on a website that currently uses the reverse OT because it needs to interact with popups, feel free to reach out to me personally about your thoughts on the current proposal. Getting developers feedback will help make it move faster!

Chris Harrelson

unread,
May 10, 2022, 11:09:18 PM5/10/22
to Arthur Hemery, blink-dev, va...@chromium.org, cl...@chromium.org
LGTM to experiment for 3 additional milestones. I think this counts for sure as substantial progress.

Thank you for all the useful information and your dedication to doing right by the web and partner developers!


Lutz Vahl

unread,
May 11, 2022, 11:29:07 AM5/11/22
to Chris Harrelson, Arthur Hemery, blink-dev, cl...@chromium.org
Great, thanks Chris.
I'll report back in the next months. Shall I use this thread to do so or kick off a new one - any preferences?

Chris Harrelson

unread,
May 11, 2022, 2:08:14 PM5/11/22
to Lutz Vahl, Arthur Hemery, blink-dev, cl...@chromium.org
Reusing this thread would be totally fine.

Lutz Vahl

unread,
Jul 28, 2022, 11:36:19 AM7/28/22
to blink-dev, Arthur Hemery, cl...@chromium.org, Chris Harrelson
HI all,

coming back to this thread as discussed a while back.

Summary

‘SharedArrayBuffers’ (SABs) on desktop platforms are restricted to cross-origin isolated environments, matching the behavior we've recently shipped on Android and Firefox. We've performed that change in Chrome 92. A reverse OT was started to give developers the option to use SABs in case they are not able to adopt cross origin isolation yet.


Updates

We’ve received lots of feedback that adopting COOP/COEP is difficult (details above). Nevertheless we made substantial progress towards removing the usage - Chromestatus is showing that SABs in non-COI context are being used on ~0.026% page loads (down from >2.5%).


The API owners asked to prove substantial progress to allow an extension until M113 (3x MS after shipping the last feature), which I’m happy to share:

COEP:credentialless was shipped in M96. (Adoption is already increasing to 0.025% of main pages)


  1. COOP: restrict-properties - launch bug - I2E

Developers who depend on popups to 3P for e.g. identity or payment flows can’t currently deploy cross-origin-isolation. To allow crossOriginIsolated pages to use popup-based OAuth/payment flows, we plan to have a new COOP value: “restrict-properties” that enables crossOriginIsolation when used in conjunction with COEP. This new value restricts cross-window access to just postMessage and closed instead of completely severing popup access.


Spec work is ongoing (see discussion, and previous iteration PR) and requires partners input to convince Mozilla that it is the correct solution, ENG work is ongoing and we’re targeting M106 for OT and M110 to ship.


  1. Anonymous iframes and COEP reflection - launch bug - I2P - I2E

Anonymous iframes are a generalization of COEP credentialless to support 3rd party iframes that may not deploy COEP. Like with COEP credentialless, we replace the opt-in of cross-origin subresources by avoiding to load non-public resources. This will remove the constraint and will unblock developers to adopt cross-origin-isolation as soon as they’re embedding 3P iframes.


Based on the progress made for storage partitioning and CHIPs, which are needed to safely ship Anonymous iframes, we’re unblocked to start the OT in M106 and the rollout in Q3 2022 (M110).

The spec:

https://wicg.github.io/anonymous-iframe/#specification (PRs: 1,2,3)




PLMK if we can extend the OT until M113. Thanks.

Yoav Weiss

unread,
Aug 1, 2022, 7:57:48 AM8/1/22
to Lutz Vahl, blink-dev, Arthur Hemery, cl...@chromium.org, Chris Harrelson
If I'm reading the past thread comments correctly, the OT extension was approved until M106 (inclusive). Is that correct?

Lutz Vahl

unread,
Aug 1, 2022, 8:17:21 AM8/1/22
to Yoav Weiss, blink-dev, Arthur Hemery, cl...@chromium.org, Chris Harrelson
Yes, we've asked in the past already for M113 but it was only approved to M106 (including) until now.
Thus I've shared the progress made until now and the outlook.

Cheers,
Lutz

Yoav Weiss

unread,
Aug 1, 2022, 8:44:03 AM8/1/22
to Lutz Vahl, blink-dev, Arthur Hemery, cl...@chromium.org, Chris Harrelson
Given the evidence you presented, which shows significant progress, LGTM to experiment until M109 inclusive.

Please come back to this thread (with any future progress) if further extensions are needed.

Cheers :)
Yoav

Lutz Vahl

unread,
Aug 1, 2022, 8:58:20 AM8/1/22
to Yoav Weiss, blink-dev, Arthur Hemery, cl...@chromium.org, Chris Harrelson
Thanks, sure I'll come back before the M1909 branch cut to present progress if needed. See you soon :)

Lutz Vahl

unread,
Nov 9, 2022, 1:12:57 PM11/9/22
to Yoav Weiss, blink-dev, Arthur Hemery, cl...@chromium.org, Chris Harrelson
Hello API owners,

With the branch cut around the corner, I'm happy to present the progress made:

Summary

‘SharedArrayBuffers’ (SABs) on desktop platforms are restricted to cross-origin isolated environments, matching the behavior we've recently shipped on Android and Firefox. We've performed that change in Chrome 92. A reverse OT was started to give developers the option to use SABs in case they are not able to adopt cross origin isolation yet.


Updates

We’ve received lots of feedback that adopting COOP/COEP is difficult (details above). Nevertheless we made substantial progress towards removing the usage - Chromestatus is showing that SABs in non-COI context are being used on ~0.027% page loads (down from >2.5%).


The API owners asked to prove substantial progress to allow an extension until M113 (aimed OT start of the last feature), which I’m happy to share.

Once we’ve started the COOP:RP OT I’ll come back to this thread sharing feedback and the final deprecation timeline.

COEP:credentialless was shipped in M96. (Adoption is already increasing to 0.0032% of main pages)

Developers who depend on pop ups to 3P for e.g. identity or payment flows can’t currently deploy cross-origin-isolation. To allow crossOriginIsolated pages to use popup-based OAuth/payment flows, we plan to have a new COOP value: “restrict-properties” that enables crossOriginIsolation when used in conjunction with COEP. This new value restricts cross-window access to just postMessage and closed instead of completely severing popup access.


Spec work is ongoing (see discussion, and previous iteration PR) and requires partners input to convince others that it is the correct solution. Initial design and implementation met some issues and we got back to the design stage after missing the OT in 109. We are iterating on it with support from Chrome Security Architecture. See the design doc and this discussion doc for details. We are now planning to have an OT in early 2022. Other vendors and TAG need to be queried again for standardization once the new design is considered good, but that is not required to start the OT, since feedback will very likely have influence. This feature is the last puzzle piece to make COI adoption possible across various use cases. 



  1. Anonymous iframes - launch bug - I2P - I2E - I2S

Anonymous iframes are a generalization of COEP credentialless to support 3rd party iframes. Instead of waiting for the third party to opt-in into COEP, it allows the embedder to load the public version of iframe without requiring COEP. The anonymous iframe’s document is assigned a new and ephemeral storage/network/cookie partition.


The Anonymous iframes OT started in M106 and we’ve received positive feedback from developers. We would like to address issue/5 and enable the feature in M110




Cheers,
 Lutz

Lutz Vahl

unread,
Nov 21, 2022, 8:43:14 AM11/21/22
to Yoav Weiss, blink-dev, Arthur Hemery, cl...@chromium.org, Chris Harrelson
gentle ping. Any feedback on the request or are we good to extend?

Yoav Weiss

unread,
Nov 21, 2022, 8:45:17 AM11/21/22
to Lutz Vahl, blink-dev, Arthur Hemery, cl...@chromium.org, Chris Harrelson
Apologies for missing this! Can you send a new email with an extension request, so that this will get properly tracked by our tooling? Thanks!!

Lutz Vahl

unread,
Nov 21, 2022, 9:09:07 AM11/21/22