[w3ctag/design-reviews] Origin isolation (#464) from Domenic Denicola on 2020-01-14 (public-webapps-github@w3.org from January 2020)

From: Domenic Denicola <notifications@github.com>
Date: Tue, 14 Jan 2020 11:52:37 -0800
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/464@github.com>

Hello TAG!

I'm requesting a TAG review of origin isolation.

Origin isolation allows web developers to opt in to giving up certain cross-origin same-site access capabilities (namely synchronous scripting via `document.domain`, and `postMessage()`ing of `SharedArrayBuffer`s). This allows browsers to potentially segregate the origin into its own process. The developer can also provide hints to the browser as to why they are doing so, in the hopes of guiding the browser's process allocation.

Note that this opt in and the accompanying hints are delivered via origin policy (#127).

  - Explainer: https://github.com/domenic/origin-isolation/blob/master/README.md

  - Security and Privacy self-review: https://github.com/domenic/origin-isolation/blob/master/security-and-privacy.md

  - GitHub repo: https://github.com/domenic/origin-isolation

  - Primary contacts (and their relationship to the specification):
      - Domenic Denicola (@domenic), Google, specifier
      - W. James MacLean (@wjmaclean), Google, implementer
  - Organization/project driving the design: Chromium
  - External status/issue trackers for this feature (publicly visible, e.g. Chrome Status): https://chromestatus.com/feature/5683766104162304


Further details:

  - [x] I have reviewed the TAG's [API Design Principles](https://w3ctag.github.io/design-principles/)
  - The group where the work on this design is being done (or is intended to be done in the future): WHATWG (for the portions that end up in the HTML spec); probably WebAppSec via WICG (for the portions that end up in the Origin Policy spec)
  - Existing major pieces of multi-stakeholder review or discussion of this design: 
    - [The issue tracker](https://github.com/domenic/origin-isolation/issues?utf8=%E2%9C%93&q=is%3Aissue)
    - [Some TPAC discussion](https://github.com/w3c/webappsec/blob/master/meetings/2019/2019-09-TPAC-minutes.md#origin-level-isolation)
    - [Mozilla standards positions repo issue](https://github.com/mozilla/standards-positions/issues/244) (currently no Mozilla replies)
  - Major unresolved issues with or opposition to this design: it's early days, but nothing currently
  - This work is being funded by: Google

We'd prefer the TAG provide feedback as (please delete all but the desired option):

  🐛 open issues in our GitHub repo for **each point of feedback**

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/464

Received on Tuesday, 14 January 2020 19:52:39 UTC