Intent to Prototype: cross-origin isolation

167 views
Skip to first unread message

Yutaka Hirano

unread,
Jun 14, 2020, 11:28:49 PM6/14/20
to blink-dev
yhi...@chromium.org TBD Specification:

(This is related, but different from origin isolation.) 1. Use origin instead of site as agent cluster key for cross-origin isolated agent clusters. document.domain mutation is no-op for agents in cross-origin isolated agent clusters. 2. Introduce cross-origin isolated permission (https://w3c.github.io/webappsec-feature-policy/). 3. Introduce self.crossOriginIsolated returning whether the surrounding agent cluster is cross-origin isolated and the environment has the cross-origin isolated permission. 1. allows origin isolation (instead of site isolation) for cross-origin isolated agent clusters. This is an incremental step of a long-term security improvement (see https://docs.google.com/document/d/1dnUjxfGWnvhQEIyCZb0F2LmCZ9gio6ogu2rhMGqi6gY/edit#heading=h.thm6zozaav55). 2. allows web developers to control whether child frames can use powerful APIs such as SharedArrayBuffer and the memory measurement API. 3. allows web developers to see if they can use the powerful APIs.
Firefox: Public support (https://github.com/whatwg/html/issues/4872) Edge: No public signals Safari: No public signals Web developers: No signals
N/A Yes No We'll add more tests. https://www.chromestatus.com/feature/5953286387531776  

Yoav Weiss

unread,
Jun 15, 2020, 6:31:52 AM6/15/20
to Yutaka Hirano, blink-dev
Thanks for working on this! :)

On Mon, Jun 15, 2020 at 5:28 AM Yutaka Hirano <yhi...@chromium.org> wrote:
yhi...@chromium.org TBD Specification:

(This is related, but different from origin isolation.) 1. Use origin instead of site as agent cluster key for cross-origin isolated agent clusters. document.domain mutation is no-op for agents in cross-origin isolated agent clusters. 2. Introduce cross-origin isolated permission (https://w3c.github.io/webappsec-feature-policy/). 3. Introduce self.crossOriginIsolated returning whether the surrounding agent cluster is cross-origin isolated and the environment has the cross-origin isolated permission. 1. allows origin isolation (instead of site isolation) for cross-origin isolated agent clusters. This is an incremental step of a long-term security improvement (see https://docs.google.com/document/d/1dnUjxfGWnvhQEIyCZb0F2LmCZ9gio6ogu2rhMGqi6gY/edit#heading=h.thm6zozaav55). 2. allows web developers to control whether child frames can use powerful APIs such as SharedArrayBuffer and the memory measurement API. 3. allows web developers to see if they can use the powerful APIs.

Would shipping this also involve restricting some APIs (e.g. SAB) to isolated clusters?
Or would that be a separate intent?

Firefox: Public support (https://github.com/whatwg/html/issues/4872) Edge: No public signals Safari: No public signals Web developers: No signals
N/A Yes No We'll add more tests. https://www.chromestatus.com/feature/5953286387531776  

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CABihn6HOKGZmtPvtEMTHtQtjPFDEzcXrzETqywi3abbyA0uPBw%40mail.gmail.com.

Yutaka Hirano

unread,
Jun 15, 2020, 6:35:24 AM6/15/20
to Yoav Weiss, blink-dev
That will be a separate intent.

Anne van Kesteren

unread,
Jun 15, 2020, 6:58:24 AM6/15/20
to Yutaka Hirano, Yoav Weiss, blink-dev
On Mon, Jun 15, 2020 at 12:35 PM Yutaka Hirano <yhi...@chromium.org> wrote:
> That will be a separate intent.

But presumably this will impact who a SharedArrayBuffer can be shared
with, right? In particular, they can no longer go
cross-origin-same-site within a cross-origin isolated environment.

Yutaka Hirano

unread,
Jun 15, 2020, 7:08:31 AM6/15/20
to Anne van Kesteren, Yoav Weiss, blink-dev
Originally I thought Yoav was talking about disabling SAB on non-cross-origin isolated agent clusters. This intent doesn't include that.
After reading Anne's comment it seems I misunderstood Yoav's comment. 

This is true. cross-origin-same-site agents will belong to different agent clusters when cross-origin isolated, and sharing SAB between the agents will no longer be possible.
This change is included in this intent.

 

Yoav Weiss

unread,
Jun 15, 2020, 7:52:36 AM6/15/20
to Yutaka Hirano, Anne van Kesteren, blink-dev
On Mon, Jun 15, 2020 at 1:08 PM Yutaka Hirano <yhi...@chromium.org> wrote:
Originally I thought Yoav was talking about disabling SAB on non-cross-origin isolated agent clusters. This intent doesn't include that.
After reading Anne's comment it seems I misunderstood Yoav's comment. 
 
I think you properly answered my question, but Anne raised a separate, valid point :)
 

On Mon, Jun 15, 2020 at 7:58 PM Anne van Kesteren <ann...@annevk.nl> wrote:
On Mon, Jun 15, 2020 at 12:35 PM Yutaka Hirano <yhi...@chromium.org> wrote:
> That will be a separate intent.

But presumably this will impact who a SharedArrayBuffer can be shared
with, right? In particular, they can no longer go
cross-origin-same-site within a cross-origin isolated environment.

This is true. cross-origin-same-site agents will belong to different agent clusters when cross-origin isolated, and sharing SAB between the agents will no longer be possible.
This change is included in this intent.

Do we expect a lot of existing SAB-using sites that will have to adapt to that change? If so, might be worthwhile to add use counters for that now


 

Yutaka Hirano

unread,
Jun 15, 2020, 7:58:29 AM6/15/20
to Yoav Weiss, Anne van Kesteren, blink-dev
But this change affects only cross-origin isolated environments (i.e., sites using COOP & COEP). It's true that this is a breaking change, but I don't think we'll break many sites.

 

 
Reply all
Reply to author
Forward
0 new messages