- From: Mike West <notifications@github.com>
- Date: Wed, 29 Apr 2020 04:50:03 -0700
- To: heycam/webidl <webidl@noreply.github.com>
- Cc: Subscribed <subscribed@noreply.github.com>
- Message-ID: <heycam/webidl/issues/875@github.com>
We have a [`[SecureContext]`](https://heycam.github.io/webidl/#SecureContext) extended attribute that governs whether or not a given construct is exposed within a given context. I'd suggest that something similar would be helpful as we begin restricting access to APIs based on whether or not a given context is cross-origin isolated.
The [Securer Contexts](https://github.com/mikewest/securer-contexts) proposal talks about this attribute in terms of `[SecureContext=Isolated]`, but I now think it's probably a better idea to create a new attribute (`[CrossOriginIsolated]`) for this purpose, as it would give us the opportunity to reformulate `[SecureContext]` in the future to something more specifically related to the aspect of security it actually governs.
That is, for upcoming APIs like [`performance.measureMemory()`](https://github.com/WICG/performance-measure-memory), I'd like them to be able to define the API as limited to isolated and secure contexts in a standardized way. Perhaps along the lines of:
```
partial interface Performance {
[SecureContext, CrossOriginIsolated] Promise<MemoryMeasurements> measureMemory();
}
```
That would have the effect of exposing the method only when the context is cross-origin isolated via COOP and COEP (as defined in https://github.com/whatwg/html/issues/4732#issuecomment-570223375).
WDYT?
@annevk @camillelamy @domenic
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/heycam/webidl/issues/875
Received on Wednesday, 29 April 2020 11:50:16 UTC