Intent to Prototype: COOP same-origin-allow-popups-plus-coep

[Camille Lamy]

Contact emails

cl...@chromium.org

Explainer

https://github.com/camillelamy/explainers/blob/master/coi-with-popups.md

Specification

None

Summary

To make crossOriginIsolation easier to deploy on sites with OAuth/payment flows relying on popups, we would like Cross-Origin-Opener-Policy: same-origin-allow-popups to also enable crossOriginIsolation when served with an appropriate Cross-Origin-Embedder-Policy header. This would introduce a new COOP mode, with a few restrictions compared to regular COOP same-origin-allow-popups. However, this mode would be crossOriginIsolated, while still having access to any popup it opens through window.post

Blink component

Blink>SecurityFeature

Motivation

Sites that wish to continue using SharedArrayBuffer must opt-into cross-origin isolation. Among other things, cross-origin isolation will prevent cross-origin popups from having access to their opener. This behavior ships today in Firefox, and Chrome aims to ship it as well in Chrome 92. As part of crossOriginIsolation, websites must send a Cross-Origin-Opener-Policy: same-origin header. COOP same-origin prevents pages with different top-level origins from being able to communicate with each other. This breaks many OAuth or payment flows that rely on opening a cross-origin popup that will communicate back with the page through window.postMessage for example. APIs like WebID or WebPayments will eventually solve the issue by providing developers with a way to build robust OAuth or payment flows without pop-ups through browser mediation. However, these APIs are not there yet, and will require significant changes from OAuth/Payment flow providers and users. we would like to find a solution that helps websites deploy COOP without having to implement a lot of changes to their websites.

Initial public proposal

https://github.com/whatwg/html/issues/6364

TAG review

None

TAG review status

Pending

Risks

Interoperability and Compatibility

None

Gecko: No signal

WebKit: No signal

Web developers: No signals

Is this feature fully tested by web-platform-tests?

No

Flag name

None

Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1221127

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5731309970259968

This intent message was generated by Chrome Platform Status.

[Yang Guo]

Is there any consideration wrt tooling/debugging? E.g. should we surface an issue in DevTools if a popup has been blocked from accessing its opener?