Add Enterprise Policy for DataUrlInWebWorkerOpaqueOriginEnabled [chromium/src : main]
0 views
Skip to first unread message
gwsq (Gerrit)
Apr 10, 2026, 2:58:04 AM (4 days ago) Apr 10
to Yoshisato Yanagisawa, Enterprise Policy Reviews, Victor Gabriel Savu, Pavol Marko, AyeAye, Chromium LUCI CQ, Arnaud Mandy, Chromium Metrics Reviews, chromium...@chromium.org, Kenneth R Christiansen, Wang, Wei4, devtools...@chromium.org, penghuan...@chromium.org, cblume...@chromium.org, asvitkine...@chromium.org, blink-work...@chromium.org, kinuko...@chromium.org
Attention needed from Pavol Marko and Victor Gabriel Savu
Message from gwsq![]( "Open in Gerrit")
Reviewer source(s):
pma...@chromium.org, vsavu is from context(chrome/enterprise/gwsq/enterprise-policy-review.gwsq)
Related details
Attention is currently required from:
- Pavol Marko
- Victor Gabriel Savu
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Victor Gabriel Savu (Gerrit)
Apr 10, 2026, 3:45:59 AM (4 days ago) Apr 10
to Yoshisato Yanagisawa, Enterprise Policy Reviews, Pavol Marko, android-bu...@system.gserviceaccount.com, Chromium LUCI CQ, Arnaud Mandy, Chromium Metrics Reviews, chromium...@chromium.org, Kenneth R Christiansen, Wang, Wei4, devtools...@chromium.org, penghuan...@chromium.org, cblume...@chromium.org, asvitkine...@chromium.org, blink-work...@chromium.org, kinuko...@chromium.org
Attention needed from Pavol Marko and Yoshisato Yanagisawa
Victor Gabriel Savu added 2 comments![]( "Open in Gerrit")
File components/policy/resources/templates/policy_definitions/Miscellaneous/DataUrlInWebWorkerOpaqueOriginEnabled.yaml
Line 3, Patchset 3 (Latest):
If this policy is set to Enabled or left unset, Web Workers created from data: URLs will have a unique opaque origin. This is aligned with the HTML specification and improves security.Victor Gabriel Savu . unresolved
Please include some background information. Ideally a link to more documentation for end users.
https://chromium.googlesource.com/chromium/src/+/HEAD/docs/enterprise/description_guidelines.md
Line 7, Patchset 3 (Latest):
This policy is intended to be temporary and will be removed in milestone 157.Victor Gabriel Savu . unresolved
Is the default values for this policy changing with its introduction?
Related details
Attention is currently required from:
- Pavol Marko
- Yoshisato Yanagisawa
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Yoshisato Yanagisawa (Gerrit)
Apr 12, 2026, 8:20:31 PM (2 days ago) Apr 12
to Enterprise Policy Reviews, Victor Gabriel Savu, Pavol Marko, android-bu...@system.gserviceaccount.com, Chromium LUCI CQ, Arnaud Mandy, Chromium Metrics Reviews, chromium...@chromium.org, Kenneth R Christiansen, Wang, Wei4, devtools...@chromium.org, penghuan...@chromium.org, cblume...@chromium.org, asvitkine...@chromium.org, blink-work...@chromium.org, kinuko...@chromium.org
Attention needed from Pavol Marko and Victor Gabriel Savu
Yoshisato Yanagisawa added 2 comments![]( "Open in Gerrit")
File components/policy/resources/templates/policy_definitions/Miscellaneous/DataUrlInWebWorkerOpaqueOriginEnabled.yaml
Line 3, Patchset 3:
If this policy is set to Enabled or left unset, Web Workers created from data: URLs will have a unique opaque origin. This is aligned with the HTML specification and improves security.Victor Gabriel Savu . unresolved
Please include some background information. Ideally a link to more documentation for end users.
https://chromium.googlesource.com/chromium/src/+/HEAD/docs/enterprise/description_guidelines.md
Yoshisato Yanagisawa
I've updated the description to include a comprehensive Background paragraph that explains what a data: URL worker is and how the origin behavior is changing. Since there isn't a dedicated, admin-friendly external explainer for this specific security fix, providing the context directly inline in the policy description seemed like the most helpful approach for IT admins.
Line 7, Patchset 3:
This policy is intended to be temporary and will be removed in milestone 157.Victor Gabriel Savu . unresolved
Is the default values for this policy changing with its introduction?
Yoshisato Yanagisawa
Yes, Chrome's default behavior is changing (we are making the origins opaque by default), which is why this escape hatch policy is being introduced. I made sure the new description explicitly mentions that Chrome is changing its default behavior to clarify this point.
Related details
Attention is currently required from:
- Pavol Marko
- Victor Gabriel Savu
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Victor Gabriel Savu (Gerrit)
Apr 13, 2026, 8:48:09 AM (yesterday) Apr 13
to Yoshisato Yanagisawa, Enterprise Policy Reviews, Pavol Marko, android-bu...@system.gserviceaccount.com, chromiu...@luci-project-accounts.iam.gserviceaccount.com, Arnaud Mandy, Chromium Metrics Reviews, chromium...@chromium.org, Kenneth R Christiansen, Wang, Wei4, devtools...@chromium.org, penghuan...@chromium.org, cblume...@chromium.org, asvitkine...@chromium.org, blink-work...@chromium.org, kinuko...@chromium.org
Attention needed from Pavol Marko and Yoshisato Yanagisawa
Victor Gabriel Savu voted and added 4 comments![]( "Open in Gerrit")
Votes added by Victor Gabriel Savu
| Code-Review | +1 |
4 comments
File components/policy/resources/templates/policy_definitions/Miscellaneous/DataUrlInWebWorkerOpaqueOriginEnabled.yaml
Line 3, Patchset 3:
If this policy is set to Enabled or left unset, Web Workers created from data: URLs will have a unique opaque origin. This is aligned with the HTML specification and improves security.Victor Gabriel Savu . resolved
Yoshisato YanagisawaPlease include some background information. Ideally a link to more documentation for end users.
https://chromium.googlesource.com/chromium/src/+/HEAD/docs/enterprise/description_guidelines.md
I've updated the description to include a comprehensive Background paragraph that explains what a data: URL worker is and how the origin behavior is changing. Since there isn't a dedicated, admin-friendly external explainer for this specific security fix, providing the context directly inline in the policy description seemed like the most helpful approach for IT admins.
Victor Gabriel Savu
Acknowledged
Line 5, Patchset 5 (Latest):
Web Workers can be created using a data: URL containing the worker's script. Previously, these workers inherited the origin of the page that created them, allowing them to access the same local storage, cookies, and other origin-bound data. To improve security and align with the HTML specification, Chrome is changing its default behavior so that workers created from data: URLs will now have a unique, opaque origin. This isolates them from the creator page's data.Victor Gabriel Savu . unresolved
I think `data:`, specifically the `:` needs to be escaped or dropped from here and below.
Line 5, Patchset 5 (Latest):
Web Workers can be created using a data: URL containing the worker's script. Previously, these workers inherited the origin of the page that created them, allowing them to access the same local storage, cookies, and other origin-bound data. To improve security and align with the HTML specification, Chrome is changing its default behavior so that workers created from data: URLs will now have a unique, opaque origin. This isolates them from the creator page's data.Victor Gabriel Savu . unresolved
Be specific about the version.
Chrome is changing its default in MXXX ...
Line 7, Patchset 3:
This policy is intended to be temporary and will be removed in milestone 157.Victor Gabriel Savu . resolved
Yoshisato YanagisawaIs the default values for this policy changing with its introduction?
Yes, Chrome's default behavior is changing (we are making the origins opaque by default), which is why this escape hatch policy is being introduced. I made sure the new description explicitly mentions that Chrome is changing its default behavior to clarify this point.
Attention is currently required from:
- Pavol Marko
- Yoshisato Yanagisawa
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Pavol Marko (Gerrit)
4:48 AM (7 hours ago) 4:48 AM
to Yoshisato Yanagisawa, Victor Gabriel Savu, Enterprise Policy Reviews, android-bu...@system.gserviceaccount.com, chromiu...@luci-project-accounts.iam.gserviceaccount.com, Arnaud Mandy, Chromium Metrics Reviews, chromium...@chromium.org, Kenneth R Christiansen, Wang, Wei4, devtools...@chromium.org, penghuan...@chromium.org, cblume...@chromium.org, asvitkine...@chromium.org, blink-work...@chromium.org, kinuko...@chromium.org
Attention needed from Yoshisato Yanagisawa
Pavol Marko added 3 comments![]( "Open in Gerrit")
File components/policy/resources/templates/policy_definitions/Miscellaneous/DataUrlInWebWorkerOpaqueOriginEnabled.yaml
Line 7, Patchset 5 (Latest):
If this policy is set to Enabled or left unset, the new secure behavior is used, and Web Workers created from data: URLs will have a unique opaque origin.Pavol Marko . unresolved
Should this say the "new default (more secure) behavior" ?
Line 15, Patchset 5 (Latest):
dynamic_refresh: falsePavol Marko . unresolved
Is it ? Will a change not affect new page loads?
Line 18, Patchset 5 (Latest):
- caption: 'Opaque origins for data: URLs in Web Workers are enabled'Pavol Marko . unresolved
Consider adding " (new default behavior)" and " (deprecated legacy behavior)" here and below
Related details
Attention is currently required from:
- Yoshisato Yanagisawa
Yoshisato Yanagisawa (Gerrit)
7:05 AM (5 hours ago) 7:05 AM
to Victor Gabriel Savu, Enterprise Policy Reviews, Pavol Marko, android-bu...@system.gserviceaccount.com, chromiu...@luci-project-accounts.iam.gserviceaccount.com, Arnaud Mandy, Chromium Metrics Reviews, chromium...@chromium.org, Kenneth R Christiansen, Wang, Wei4, chrome-intelligence-te...@google.com, chrome-intell...@chromium.org, devtools...@chromium.org, penghuan...@chromium.org, cblume...@chromium.org, asvitkine...@chromium.org, blink-work...@chromium.org, kinuko...@chromium.org
Attention needed from Pavol Marko and Victor Gabriel Savu
Yoshisato Yanagisawa added 5 comments![]( "Open in Gerrit")
File components/policy/resources/templates/policy_definitions/Miscellaneous/DataUrlInWebWorkerOpaqueOriginEnabled.yaml
Line 5, Patchset 5:
Web Workers can be created using a data: URL containing the worker's script. Previously, these workers inherited the origin of the page that created them, allowing them to access the same local storage, cookies, and other origin-bound data. To improve security and align with the HTML specification, Chrome is changing its default behavior so that workers created from data: URLs will now have a unique, opaque origin. This isolates them from the creator page's data.Victor Gabriel Savu . resolved
Be specific about the version.
Chrome is changing its default in MXXX ...
Yoshisato Yanagisawa
Done
Line 5, Patchset 5:
Web Workers can be created using a data: URL containing the worker's script. Previously, these workers inherited the origin of the page that created them, allowing them to access the same local storage, cookies, and other origin-bound data. To improve security and align with the HTML specification, Chrome is changing its default behavior so that workers created from data: URLs will now have a unique, opaque origin. This isolates them from the creator page's data.Victor Gabriel Savu . resolved
I think `data:`, specifically the `:` needs to be escaped or dropped from here and below.
Yoshisato Yanagisawa
Done
Line 7, Patchset 5:
If this policy is set to Enabled or left unset, the new secure behavior is used, and Web Workers created from data: URLs will have a unique opaque origin.Pavol Marko . resolved
Should this say the "new default (more secure) behavior" ?
Yoshisato Yanagisawa
Done
Is it ? Will a change not affect new page loads?
Yoshisato Yanagisawa
You are right. Fixed.
Line 18, Patchset 5:
- caption: 'Opaque origins for data: URLs in Web Workers are enabled'Pavol Marko . resolved
Consider adding " (new default behavior)" and " (deprecated legacy behavior)" here and below
Attention is currently required from:
- Pavol Marko
- Victor Gabriel Savu
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Victor Gabriel Savu (Gerrit)
7:13 AM (5 hours ago) 7:13 AM
to Yoshisato Yanagisawa, Enterprise Policy Reviews, Pavol Marko, android-bu...@system.gserviceaccount.com, chromiu...@luci-project-accounts.iam.gserviceaccount.com, Arnaud Mandy, Chromium Metrics Reviews, chromium...@chromium.org, Kenneth R Christiansen, Wang, Wei4, chrome-intelligence-te...@google.com, chrome-intell...@chromium.org, devtools...@chromium.org, penghuan...@chromium.org, cblume...@chromium.org, asvitkine...@chromium.org, blink-work...@chromium.org, kinuko...@chromium.org
Attention needed from Pavol Marko and Yoshisato Yanagisawa
Victor Gabriel Savu voted Code-Review+1![]( "Open in Gerrit")
Attention is currently required from:
- Pavol Marko
- Yoshisato Yanagisawa
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Pavol Marko (Gerrit)
7:26 AM (4 hours ago) 7:26 AM
to Yoshisato Yanagisawa, Victor Gabriel Savu, Enterprise Policy Reviews, android-bu...@system.gserviceaccount.com, chromiu...@luci-project-accounts.iam.gserviceaccount.com, Arnaud Mandy, Chromium Metrics Reviews, chromium...@chromium.org, Kenneth R Christiansen, Wang, Wei4, chrome-intelligence-te...@google.com, chrome-intell...@chromium.org, devtools...@chromium.org, penghuan...@chromium.org, cblume...@chromium.org, asvitkine...@chromium.org, blink-work...@chromium.org, kinuko...@chromium.org
Attention needed from Yoshisato Yanagisawa
Pavol Marko voted Code-Review+1![]( "Open in Gerrit")
| Code-Review | +1 |
Related details
Attention is currently required from:
- Yoshisato Yanagisawa
Yoshisato Yanagisawa (Gerrit)
9:34 AM (2 hours ago) 9:34 AM
to Rakina Zata Amni, Pavol Marko, Victor Gabriel Savu, Enterprise Policy Reviews, android-bu...@system.gserviceaccount.com, chromiu...@luci-project-accounts.iam.gserviceaccount.com, Arnaud Mandy, Chromium Metrics Reviews, chromium...@chromium.org, Kenneth R Christiansen, Wang, Wei4, chrome-intelligence-te...@google.com, chrome-intell...@chromium.org, devtools...@chromium.org, penghuan...@chromium.org, cblume...@chromium.org, asvitkine...@chromium.org, blink-work...@chromium.org, kinuko...@chromium.org
Attention needed from Rakina Zata Amni
Yoshisato Yanagisawa added 1 comment![]( "Open in Gerrit")
Patchset-level comments
File-level comment, Patchset 7 (Latest):
Yoshisato Yanagisawa . resolved
Rakina: will you review content_browser_client.*?
Related details
Attention is currently required from:
- Rakina Zata Amni
Submit Requirements:
Code-Coverage
Code-Owners
Code-Review
Review-Enforcement
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages