A threat model of cross-origin isolation

[Artur Janc]

Hey folks,

The notion of cross-origin isolation (COI), achieved by setting both Cross-Origin Opener Policy and Cross-Origin Embedder Policy, is core to the web's ability to safely allow access to APIs which could otherwise be used to leak cross-origin data. It's also quite complex to reason about because its guarantees depend on multiple web-facing security mechanisms (COOP, COEP, CORP, CORS) as well as non-web-exposed browser features (e.g. process-level isolation & OOPIFs, CORB/CORB++).

I recently wrote down some thoughts to attempt to shed light on what COI means from a security perspective, and what it means for application developers, and wanted to get your feedback. I'd appreciate it if you could take a look at one of the following:

1. Google doc (with comment access): https://docs.google.com/document/d/1JBUaX1xSOZRxBk5bRNZWgnzyJoCQC52TIRokACBSmGc/edit

2. PDF (easier to read): https://arturjanc.com/coi-threat-model.pdf

I'm hoping for an open discussion about this, both when it comes to the overall threat model (e.g. thoughts about the security consequences of a resource entering a COI document), and your opinions about the direction the web platform should take as a result (e.g. on the question of which COI opt-in we should recommend: CORP, CORS, or both).

I believe Mike threatened to make me talk about this in the upcoming WebAppSec meeting, so I'll give a brief overview then. But if you're interested in this area, I'd recommend taking a quick look at the doc in the meantime.

Cheers,

-Artur