Contact emailsarthursonzo...@google.com Explainerhttps://github.com/ArthurSonzogni/coep-reflection
Specificationhttps://github.com/whatwg/html/pull/7948 Design docshttps://github.com/ArthurSonzogni/coep-reflection Summary Add the API: `self.crossOriginEmbedderPolicy` It reflects the environment's cross-origin-embedder-policy's value. The possible values are: 'unsafe-none', 'credentialless', and 'require-corp'. Blink componentBlink>SecurityFeature>COEP <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature%3ECOEP> Motivation Depending on the Cross-Origin-Embedder-Policy value, not every iframe/subresources can be loaded inside the document. If this reflection API is provided, 3rd party scripts can make better decisions. They can implement appropriate fallbacks. In particular, for trying Anonymous Iframe, Google DisplayAds, needs a way to know the COEP policy. The Ads's script could this way be able to decide in between inserting a normal or an anonymous iframe. Initial public proposalhttps://github.com/whatwg/html/issues/7912 Search tagscoep <https://chromestatus.com/features#tags:coep>, cross-origin-embedder-policy <https://chromestatus.com/features#tags:cross-origin-embedder-policy>, reflection <https://chromestatus.com/features#tags:reflection> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/742 TAG review statusPending Risks Interoperability and Compatibility This is a new API. The main risk is that it fails to become an interoperable part of the web platform if other browsers do not implement it. *Gecko*: No signal *WebKit*: No signal *Web developers*: No signals *Other signals*: Activation This is a read only attribute, constant for the whole lifetime of the environment. I don't expect difficulties using it. On web browser implementations not supporting it, it will return `undefined`. Security It is already possible to deduce the value returned by the API, by making a no-cors `fetch` request toward a known cross-origin URL whose response depends on the request's cookies and omit the CORP headers. It is a bit costly, but theoretically polyfillable. As such, it should be a security/privacy no-op. WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None. COEP reflection is independent from the platform. Debuggability It was already exposed to devtool via Application > Frames > top > Security & Isolation > Cross-Origin Embedder Policy (COEP) Nothing new is needed/planned. Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?Yes Flag name--enable-blink-features=CoepReflection Requires code in //chrome?False Tracking bughttps://crbug.com/1324521 Estimated milestones No milestones specified Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5074103873568768 This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH7Q68VhU1aF-OidWmu6hC8sSnZEZKifBF3DxO23Ex6EJnoOEA%40mail.gmail.com.
