Make cross-origin-isolation an implementation-defined consequence of COOP + COEP? #6060
Labels
topic: cross-origin-embedder-policy
Issues and ideas around the new "require CORP for subresource requests and frames and etc" proposal
topic: cross-origin-opener-policy
Issues and ideas around the new "inverse of rel=noopener" header
Comments
annevk
added
topic: cross-origin-opener-policy
|
I think that's reasonable. It definitely seems preferable to not supporting COOP/COEP. I wonder if as part of this we should spell it out a bit more that an agent cluster with its cross-origin isolated flag set cannot share a process with an agent cluster that does not have that set (or is from a different site), but that's all rather architecture specific. Hmm. |
|
Thanks for your reply! I think I will try updating the specifications myself and see what feedback I will get. |
ArthurSonzogni
added a commit
to ArthurSonzogni/html
that referenced
this issue
Oct 23, 2020
The [specification] requires [COOP] + [COEP] to give access to crossOriginIsolated capabilities like SharedArrayBuffer. Some platforms can't easily support multiple processes (like Android Webview). Therefore, they can't really support crossOriginIsolated. However the are no strong reasons for them not to enforce COEP (and maybe COOP) when their associated headers are present. We would like to enforce COEP (and maybe COOP) on all platforms, despite the lack of crossOriginIsolated capabilities. This makes the specification to allow (instead of requiring) platform to set the crossOriginIsolated flag when COOP+COEP are used? This makes crossOriginIsolated to be platform dependent. In exchange, we could enforce COEP (and COOP) in a non platform dependent way, without conflicting with the specification about crossOriginIsolated. [Bug]: whatwg#6060 [specification]: https://html.spec.whatwg.org/#cross-origin-opener-policies [COOP]: https://html.spec.whatwg.org/#cross-origin-opener-policy [COEP]: https://html.spec.whatwg.org/#coep
ArthurSonzogni
added a commit
to ArthurSonzogni/html
that referenced
this issue
Oct 23, 2020
The [specification] requires [COOP] + [COEP] to give access to crossOriginIsolated capabilities like SharedArrayBuffer. Some platforms can't easily support multiple processes (like Android Webview). Therefore, they can't really support crossOriginIsolated. However the are no strong reasons for them not to enforce COEP (and maybe COOP) when their associated headers are present. We would like to enforce COEP (and maybe COOP) on all platforms, despite the lack of crossOriginIsolated capabilities. This makes the specification to allow (instead of requiring) platform to set the crossOriginIsolated flag when COOP+COEP are used. CrossOriginIsolated becomes platform dependent. In exchange, we can enforce COEP (and COOP) in a non platform dependent way, without conflicting with the specification about crossOriginIsolated. [Bug]: whatwg#6060 [specification]: https://html.spec.whatwg.org/#cross-origin-opener-policies [COOP]: https://html.spec.whatwg.org/#cross-origin-opener-policy [COEP]: https://html.spec.whatwg.org/#coep
ArthurSonzogni
added a commit
to ArthurSonzogni/html
that referenced
this issue
Oct 23, 2020
The [specification] currently requires [COOP] + [COEP] to give access to crossOriginIsolated capabilities like SharedArrayBuffer. Some platforms can't easily support multiple processes (like Android Webview). Therefore, they can't really support crossOriginIsolated. However the are no strong reasons for them not to enforce COEP (and maybe COOP) when their associated headers are present. It would be great enforcing COEP (and maybe COOP) on all platforms, desptie the lack of crossOriginIsolated capabilities. This patch makes the specification to allow (instead of requiring) platform to set the crossOriginIsolated flag when both COOP and COEP are used. Setting crossOriginIsolated becomes platform dependent. In exchange, we can enforce COEP (and COOP) in a non platform dependent way, without conflicting with the specification about crossOriginIsolated. [Bug]: whatwg#6060 [specification]: https://html.spec.whatwg.org/#cross-origin-opener-policies [COOP]: https://html.spec.whatwg.org/#cross-origin-opener-policy [COEP]: https://html.spec.whatwg.org/#coep
blueboxd
pushed a commit
to blueboxd/chromium-legacy
that referenced
this issue
Oct 23, 2020
There are no real reasons for COEP not to be enforced on Android WebView. See also: [PSA-COEP-expanded-to-webview]: https://groups.google.com/a/chromium.org/g/blink-dev/c/Wc_uYYkcviw [Updated chrome-status entry]: https://chromestatus.com/features/5642721685405696 [original-intent-to-ship-coep]: https://groups.google.com/a/chromium.org/g/blink-dev/c/XBKAGb2_7uA/m/ajpc6_9zAAAJ [crossOriginIsolated spec to be updated]: whatwg/html#6060 Bug: 1140432 Change-Id: I9a7c44671846f20bd0ac2a06b181ed584ad606eb Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2485507 Reviewed-by: Kinuko Yasuda <[email protected]> Reviewed-by: Richard Coles <[email protected]> Reviewed-by: Domenic Denicola <[email protected]> Reviewed-by: Mike West <[email protected]> Commit-Queue: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/master@{#820311}
ArthurSonzogni
added a commit
to ArthurSonzogni/html
that referenced
this issue
Nov 18, 2020
The [specification] currently requires [COOP] + [COEP] to give access to crossOriginIsolated capabilities like SharedArrayBuffer. Some platforms can't easily support multiple processes (like Android Webview). Therefore, they can't really support crossOriginIsolated. However the are no strong reasons for them not to enforce COEP (and maybe COOP) when their associated headers are present. It would be great enforcing COEP (and maybe COOP) on all platforms, desptie the lack of crossOriginIsolated capabilities. This patch makes the specification to allow (instead of requiring) platform to set the crossOriginIsolated flag when both COOP and COEP are used. Setting crossOriginIsolated becomes platform dependent. In exchange, we can enforce COEP (and COOP) in a non platform dependent way, without conflicting with the specification about crossOriginIsolated. [Bug]: whatwg#6060 [specification]: https://html.spec.whatwg.org/#cross-origin-opener-policies [COOP]: https://html.spec.whatwg.org/#cross-origin-opener-policy [COEP]: https://html.spec.whatwg.org/#coep
ArthurSonzogni
added a commit
to ArthurSonzogni/html
that referenced
this issue
Dec 15, 2020
The [specification] currently requires [COOP] + [COEP] to give access to crossOriginIsolated capabilities like SharedArrayBuffer. Some platforms can't easily support multiple processes (like Android Webview). Therefore, they can't really support crossOriginIsolated. However the are no strong reasons for them not to enforce COEP (and maybe COOP) when their associated headers are present. It would be great enforcing COEP (and maybe COOP) on all platforms, desptie the lack of crossOriginIsolated capabilities. This patch makes the specification to allow (instead of requiring) platform to set the crossOriginIsolated flag when both COOP and COEP are used. Setting crossOriginIsolated becomes platform dependent. In exchange, we can enforce COEP (and COOP) in a non platform dependent way, without conflicting with the specification about crossOriginIsolated. [Bug]: whatwg#6060 [specification]: https://html.spec.whatwg.org/#cross-origin-opener-policies [COOP]: https://html.spec.whatwg.org/#cross-origin-opener-policy [COEP]: https://html.spec.whatwg.org/#coep
ArthurSonzogni
added a commit
to ArthurSonzogni/html
that referenced
this issue
Dec 15, 2020
The [specification] currently requires [COOP] + [COEP] to give access to crossOriginIsolated capabilities like SharedArrayBuffer. Some platforms can't easily support multiple processes (like Android Webview). Therefore, they can't really support crossOriginIsolated. However the are no strong reasons for them not to enforce COEP (and maybe COOP) when their associated headers are present. It would be great enforcing COEP (and maybe COOP) on all platforms, desptie the lack of crossOriginIsolated capabilities. This patch makes the specification to allow (instead of requiring) platform to set the crossOriginIsolated flag when both COOP and COEP are used. Setting crossOriginIsolated becomes platform dependent. In exchange, we can enforce COEP (and COOP) in a non platform dependent way, without conflicting with the specification about crossOriginIsolated. [Bug]: whatwg#6060 [specification]: https://html.spec.whatwg.org/#cross-origin-opener-policies [COOP]: https://html.spec.whatwg.org/#cross-origin-opener-policy [COEP]: https://html.spec.whatwg.org/#coep
domenic
pushed a commit
to ArthurSonzogni/html
that referenced
this issue
Dec 17, 2020
The [specification] currently requires [COOP] + [COEP] to give access to crossOriginIsolated capabilities like SharedArrayBuffer. Some platforms can't easily support multiple processes (like Android Webview). Therefore, they can't really support crossOriginIsolated. However the are no strong reasons for them not to enforce COEP (and maybe COOP) when their associated headers are present. It would be great enforcing COEP (and maybe COOP) on all platforms, desptie the lack of crossOriginIsolated capabilities. This patch makes the specification to allow (instead of requiring) platform to set the crossOriginIsolated flag when both COOP and COEP are used. Setting crossOriginIsolated becomes platform dependent. In exchange, we can enforce COEP (and COOP) in a non platform dependent way, without conflicting with the specification about crossOriginIsolated. [Bug]: whatwg#6060 [specification]: https://html.spec.whatwg.org/#cross-origin-opener-policies [COOP]: https://html.spec.whatwg.org/#cross-origin-opener-policy [COEP]: https://html.spec.whatwg.org/#coep
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The specification requires COOP + COEP to give access to crossOriginIsolated capabilities like SharedArrayBuffer.
Some platforms can't easily support multiple processes (like Android Webview). Therefore, they can't really support crossOriginIsolated. However the are no strong reasons for them not to enforce COEP (and maybe COOP) when their associated headers are present.
We would like to enforce COEP (and maybe COOP) on all platforms, despite the lack of crossOriginIsolated capabilities.
Should we make the specification to allow (instead of requiring) platform to set the crossOriginIsolated flag when COOP+COEP are used?
This would make crossOriginIsolated to be platform dependent. In exchange, we could enforce COEP (and COOP) in a non platform dependent way, without conflicting with the specification about crossOriginIsolated.
FYI: @whatwg/cross-origin-isolation @annevk @domenic @mikewest @camillelamy @hemeryar
The text was updated successfully, but these errors were encountered: