Intent to Ship: cross-origin isolation
Arthur Hemery
Contact emails
ahe...@chromium.org, yhi...@chromium.org
Explainer
Explainer for COOP/COEP, from which it is derived.
Summary
As a general rule, a page is said to be cross-origin isolated if it has both COOP set to “same-origin” and COEP set to “require-corp”. Cross-origin isolation itself is a three part change:
1. Use origin instead of site as agent cluster key for cross-origin isolated agent clusters. document.domain mutation is no-op for agents in cross-origin isolated agent clusters.
2. Introduce cross-origin isolated permission (https://w3c.github.io/webappsec-feature-policy/).
3. Introduce self.crossOriginIsolated returning whether the surrounding agent cluster is cross-origin isolated and the environment has the cross-origin isolated permission.
Note: Service Worker support is still under active development due to unforeseen complexities.
This complementary part is expected to be fully complete in 88 or 89.
Specification
https://html.spec.whatwg.org/multipage/webappapis.html#obtain-similar-origin-window-agent
https://html.spec.whatwg.org/multipage/infrastructure.html#cross-origin-isolated-feature
https://html.spec.whatwg.org/multipage/webappapis.html#dom-crossoriginisolated
https://heycam.github.io/webidl/#CrossOriginIsolated for the interfaces working with crossOriginIsolated.
Design docs
https://docs.google.com/document/d/1QyAGuwxoX1MrrPqOpAr84zhX0_YB7kOD2w8azvq45ME/edit#
https://docs.google.com/document/u/1/d/1OFaz1Txi4ynFLmRqNTLFF3qd6jm4kK4GkJdmgr5_aZA/edit?usp=sharing
Blink component
TAG review
None. This is not a new feature, but instead an update of our implementation to match previously-agreed-upon and specified security consequences of existing, already-reviewed features (the Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy headers). There is some discussion about the combination of those, and their impact on enabling powerful features, in https://github.com/w3ctag/design-reviews/issues/471.
TAG review status
Not applicable
Risks
Interoperability and Compatibility
This change has a compatibility risk, as (1) is a breaking change.
The risk should be small, given only the web developers who have already enabled COOP+COEP are affected, and according to https://mitigation.supply/ the number is still small (0.00127% for COEP: require-corp).
Gecko: Shipped/Shipping (https://bugzilla.mozilla.org/show_bug.cgi?id=1591892)
WebKit: No signal
Web developers: No signals
Security
This is security positive, comes with a bunch of restrictions regarding processes, document.domain, etc. Pushes COOP/COEP usage which is also security positive.
Debuggability
Already working with devtools on COOP and COEP which enable this feature.
Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
No COOP/COEP and hence crossOriginIsolated are not supported in Webview.
Is this feature fully tested by web-platform-tests?
Yes
Tracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=1018680
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5690888397258752
Mike West
Web developers: No signals
Yoav Weiss
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/3a9ab02f-9b1c-41d2-917c-e1761f83d9a1n%40chromium.org.
Chris Harrelson
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACj%3DBEgRVib%3DOtRwh%2BFuGk_2rfbiHs5inyuMANNW5tnHZtRtEQ%40mail.gmail.com.