Re: [w3ctag/design-reviews] COOP same-origin-allow-popups-plus-coep (#649) from Daniel Appelquist on 2021-07-13 (public-webapps-github@w3.org from July 2021)

From: Daniel Appelquist <notifications@github.com>
Date: Tue, 13 Jul 2021 01:53:21 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/649/878903613@github.com>

Hi @arturjanc. Just reviewing in this morning's [TAG breakout](https://github.com/w3ctag/meetings/blob/gh-pages/2021/telcons/07-12-agenda.md). I think the phrase "...without reducing the security guarantees provided by cross-origin isolation" is really the key and this requires some additional elaboration. The security considerations and privacy considerations sections of the explainer need to spell out some of the abuse scenarios - not from a security-jargon perspective but from a user-needs perspective. "e.g. bad actors will try to do xxx to use this to steal users' infos". Likewise the user needs at the root of the problem need to be better spelled out - again in terms of what user problem this helps to solve. If it doeesn't solve a user problem but only makes it somewhat easier for developers, and it achieves this by weakening security & privacy guarantees and opening up potential for abuse then maybe it's not a good idea? On the other hand, if it's intended to encourage developers to adopt better security practices then overall it can be a good trade-off. I think that's what you're getting at but can you try to spell it out a bit more from an end-user perspective?

Also quick question: Referencing our previous review of origin isolation https://github.com/w3ctag/design-reviews/issues/464 and looking back at the implementation status, it looks like there is not good support across engines for this underlying tech (COEP/COOP) yet. Is it premature to start building stuff on top of it? Are there additional implementer signals for this specifically? Chrome status still shows "no information".

Also if developer feedback is the thing driving this then maybe this should be linked to in Chrome Status or in this review?

Finally, has there been any relevant discussions in WebAppSec that we should know about?

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/649#issuecomment-878903613

Received on Tuesday, 13 July 2021 08:53:33 UTC