Intent to Ship: cross-origin isolation

206 views
Skip to first unread message

Arthur Hemery

unread,
Sep 28, 2020, 11:24:37 AM9/28/20
to blin...@chromium.org

Contact emails

ahe...@chromium.org, yhi...@chromium.org


Explainer

Explainer for COOP/COEP, from which it is derived.


Summary
As a general rule, a page is said to be cross-origin isolated if it has both COOP set to “same-origin” and COEP set to “require-corp”. Cross-origin isolation itself is a three part change:

1. Use origin instead of site as agent cluster key for cross-origin isolated agent clusters. document.domain mutation is no-op for agents in cross-origin isolated agent clusters.


2. Introduce cross-origin isolated permission (https://w3c.github.io/webappsec-feature-policy/).


3. Introduce self.crossOriginIsolated returning whether the surrounding agent cluster is cross-origin isolated and the environment has the cross-origin isolated permission.

Note: Service Worker support is still under active development due to unforeseen complexities.
This complementary part is expected to be fully complete in 88 or 89.


Specification

https://html.spec.whatwg.org/multipage/webappapis.html#obtain-similar-origin-window-agent

https://html.spec.whatwg.org/multipage/infrastructure.html#cross-origin-isolated-feature

https://html.spec.whatwg.org/multipage/webappapis.html#dom-crossoriginisolated

https://heycam.github.io/webidl/#CrossOriginIsolated for the interfaces working with crossOriginIsolated.


Design docs

https://docs.google.com/document/d/1QyAGuwxoX1MrrPqOpAr84zhX0_YB7kOD2w8azvq45ME/edit#

https://docs.google.com/document/u/1/d/1OFaz1Txi4ynFLmRqNTLFF3qd6jm4kK4GkJdmgr5_aZA/edit?usp=sharing


Blink component

Blink>SecurityFeature


TAG review

None. This is not a new feature, but instead an update of our implementation to match previously-agreed-upon and specified security consequences of existing, already-reviewed features (the Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy headers). There is some discussion about the combination of those, and their impact on enabling powerful features, in https://github.com/w3ctag/design-reviews/issues/471.


TAG review status

Not applicable


Risks

 

 

Interoperability and Compatibility

This change has a compatibility risk, as (1) is a breaking change.

The risk should be small, given only the web developers who have already enabled COOP+COEP are affected, and according to https://mitigation.supply/ the number is still small (0.00127% for COEP: require-corp).

 

 

Gecko: Shipped/Shipping (https://bugzilla.mozilla.org/show_bug.cgi?id=1591892)

 

WebKit: No signal

 

Web developers: No signals

 

Security

This is security positive, comes with a bunch of restrictions regarding processes, document.domain, etc. Pushes COOP/COEP usage which is also security positive.



Debuggability

Already working with devtools on COOP and COEP which enable this feature.


Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?

No COOP/COEP and hence crossOriginIsolated are not supported in Webview.


Is this feature fully tested by web-platform-tests?

Yes


Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1018680


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5690888397258752



Mike West

unread,
Sep 28, 2020, 11:56:59 AM9/28/20
to blink-dev, Arthur Hemery
LGTM1. This is a pretty critical part of the story we want to be telling around the defensible security boundaries developers can expect the browser to enforce in the face of side-channel attacks. It's a clear continuation of the intents to ship COOP and COEP, and is a primitive that other features (like `performance.memoryManagement`) are conceptually relying upon. I'm happy we're following Firefox's implementation with our own.

I wouldn't frame this as a breaking change. Opting into COOP/COEP is supposed to prevent `document.domain` from relaxing the page's security boundary beyond the origin; that's part of what developers are opting-into. The fact that we aren't doing this today is a security issue in our initial implementation that's resolved by this intent. :)

Gecko: Shipped/Shipping (https://bugzilla.mozilla.org/show_bug.cgi?id=1591892)

 

WebKit: No signal


It would likely be a good idea to drop our friends at WebKit a line again to ask about their plans, now that Firefox and Chromium both have implementations of COOP/COEP and the underlying isolation model.

Web developers: No signals


FWIW, developers on Google's security team are excited about this mechanism as a mitigation for some exciting side-channel attacks that are otherwise difficult to defend against. They're doing the work to roll out COOP and COEP in order to obtain exactly this security boundary.

Yoav Weiss

unread,
Sep 30, 2020, 10:31:31 AM9/30/20
to Mike West, blink-dev, Arthur Hemery
LGTM2

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/3a9ab02f-9b1c-41d2-917c-e1761f83d9a1n%40chromium.org.

Chris Harrelson

unread,
Sep 30, 2020, 11:29:12 AM9/30/20
to Yoav Weiss, Mike West, blink-dev, Arthur Hemery
Reply all
Reply to author
Forward
0 new messages