LGTM2 On Wed, Sep 18, 2024 at 8:44 AM Alex Russell <slightly...@chromium.org> wrote:
> LGTM1. Excited to see this happening. > > On Monday, September 16, 2024 at 12:23:09 AM UTC-7 Yoav Weiss wrote: > >> Contact emailsyoavwe...@chromium.org >> >> Explainer >> https://gist.github.com/yoavweiss/c7b61e97e6f8d207be619f87ab96ead5 >> >> Specificationhttps://github.com/whatwg/html/pull/10394 >> >> The PR hasn't landed yet, but I believe it is ready to land (% potential >> nits). >> I'm not aware of any open issues. >> >> Summary >> >> Some origins can contain different applications with different levels of >> security requirements. In those cases, it can be beneficial to prevent >> scripts running in one application from being able to open and script pages >> of another same-origin application. In such cases, it can be beneficial for >> a document to ensure its opener cannot script it, even if the opener >> document is a same-origin one. The `noopener-allow-popups` >> Cross-Origin-Opener-Policy value will allow documents to define that. >> >> >> Blink componentBlink >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink> >> >> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/964 >> >> TAG review statusIssues addressed >> >> Risks >> >> >> Interoperability and Compatibility >> >> Compatibility risk: As this feature adds a new COOP value, it doesn't run >> a risk of colliding with existing values. Where we may see some risk is >> when developers start using this value in ways that would surprise other >> teams on their origins. (as they would no longer have scripting access to >> opened documents) I don't expect that to happen often, and if it would it's >> something that developers would find out at development time. So I don't >> expect that to impact users. Interoperability risk: WebKit's positive >> position makes me optimistic that I'd be able to land the feature there >> <https://github.com/WebKit/WebKit/pull/30344> as well. >> >> >> *Gecko*: No signal ( >> https://github.com/mozilla/standards-positions/issues/1037) >> >> *WebKit*: Support ( >> https://github.com/WebKit/standards-positions/issues/360) >> >> *Web developers*: No particular signals, other than the fact that >> Shopify is interested in this. >> >> *Other signals*: >> >> Security >> >> No particular issues: >> https://gist.github.com/yoavweiss/3cb7283f56717f6dfe6da05009a27a65 >> >> >> The main risk is having developers over rely on the protections this >> would provide. Input from Chrome and Google security folks led to the >> inclusion of a spec note >> <https://whatpr.org/html/10394/browsers.html#cross-origin-opener-policies:top-level-browsing-context-6> >> warning developers against it and indicating what else they'd need to do >> for more holistic isolation of same-origin documents from others. >> >> >> I'm planning to add a similar note to developer-facing docs >> <https://github.com/mdn/mdn/issues/579>. >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> None >> >> >> Debuggability >> >> None >> >> >> Will this feature be supported on all six Blink platforms (Windows, Mac, >> Linux, ChromeOS, Android, and Android WebView)?Yes >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ?Yes >> >> >> https://wpt.fyi/results/html/cross-origin-opener-policy/tentative/noopener/coop-noopener-allow-popups.https.html?label=experimental&label=master&aligned >> >> >> The test doesn't pass on the bots as the feature is disabled using a base >> feature flag (and no runtime flag). >> >> Flag name on chrome://flagsNone >> >> Finch feature nameCoopNoopenerAllowPopups >> >> Requires code in //chrome?False >> >> Tracking bughttps://issues.chromium.org/issues/344963946 >> >> Measurement >> https://chromestatus.com/metrics/feature/timeline/popularity/5029 >> https://chromestatus.com/metrics/feature/timeline/popularity/5030 >> >> Estimated milestones >> Shipping on desktop 131 >> Shipping on Android 131 >> Shipping on WebView 131 >> >> Anticipated spec changes >> >> Open questions about a feature may be a source of future web compat or >> interop issues. Please list open issues (e.g. links to known github issues >> in the project for the feature specification) whose resolution may >> introduce web compat/interop risk (e.g., changing to naming or structure of >> the API in a non-backward-compatible way). >> >> >> No open questions ATM. >> >> Link to entry on the Chrome Platform Status >> https://chromestatus.com/feature/5163293877731328?gate=4905084336209920 >> >> Links to previous Intent discussionsIntent to Prototype: >> https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSJj33d%3D0B0tNpD0qrYWzygx0i02bWdhbV3aSCgbjS3Ndw%40mail.gmail.com >> >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> > -- > You received this message because you are subscribed to the Google Groups > "blink-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to blink-dev+unsubscr...@chromium.org. > To view this discussion on the web visit > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/24c89356-98aa-4503-83d1-a015c5ab7f1cn%40chromium.org > <https://groups.google.com/a/chromium.org/d/msgid/blink-dev/24c89356-98aa-4503-83d1-a015c5ab7f1cn%40chromium.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-kEUKSHDazs61oor%2B3SQu3j7L1Jpp7Hhb3jhKjnLuUgg%40mail.gmail.com.