Contact emails

aric...@chromium.org, johann...@chromium.org, kaustub...@chromium.org

Explainer

https://github.com/arichiv/partitioned-popins/

Summary

A new web primitive is needed to cover short-lived popup use cases which
require access to storage partitioned by the popup opener. This primitive
should be private and secure by default, while providing a consistent UI
experience across user agents.

To solve this need, we propose the “Partitioned Popin”, a type of pop-up
for loading web content with two unique new features: a modal-like UI
relative to its opener tab and cookies/storage being partitioned to its
opener context.


Blink component

Blink>Storage
<https://issues.chromium.org/u/1/issues?q=customfield1222907:%22Blink%3EStorage%22>


Motivation

Many smaller businesses and applications on the web currently use
third-party vendors to perform or facilitate security sensitive operations
such as authentication. These third-party vendors prefer to be loaded in
top-level contexts so that they are not subject to clickjacking or script
injection attacks by a compromised relying party.

This ‘popin’ could be useful for any sites wanting a consistent way to
prompt the user to interact with a new window in a way that makes it clear
what site initiated the interaction. Making the ‘popin’ partitioned by its
opener ensures the privacy of an iframe (restricting access to first-party
storage) while retaining the security of a top-level navigation (isolating
the process).

TAG review

https://github.com/w3ctag/design-reviews/issues/956

Compatibility

This adds a new feature without removing existing ones.


Interoperability

Gecko: https://github.com/mozilla/standards-positions/issues/1023

WebKit: https://github.com/WebKit/standards-positions/issues/349

Web developers: Gathering feedback, one potential use case -
https://github.com/privacycg/CHIPS/issues/80

Debuggability

The ‘popin’ and related permissions/headers will be debuggable via DevTools.

Is this feature fully tested by web-platform-tests?

Tests will be added.

Tracking bug

https://issues.chromium.org/issues/340606651

Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5949561398099968

-- 
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAGpy5DLRy_i3Vvu3Su%3DrbH_ghb-1N%2B4x399PZw2_XLRHuA5w2g%40mail.gmail.com.

Reply via email to