Re: [w3ctag/design-reviews] COOP same-origin-allow-popups-plus-coep (#649) from Mike West on 2021-07-13 (public-webapps-github@w3.org from July 2021)

From: Mike West <notifications@github.com>
Date: Tue, 13 Jul 2021 02:22:18 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/649/878925504@github.com>

Camille is out of office until Thursday, I'll defer to her on the user-facing framing of the proposal.

> Referencing our previous review of origin isolation #464 and looking back at the implementation status, it looks like there is not good support across engines for this underlying tech (COEP/COOP) yet. Is it premature to start building stuff on top of it? Are there additional implementer signals for this specifically? Chrome status still shows "no information".

I'm not sure if you're asking about cross-origin isolation generally, or this specific proposal. COOP and COEP are integrated into HTML and Fetch, and are shipping in Firefox and Chrome with reasonably good test coverage (see [COEP tests](https://wpt.fyi/results/html/cross-origin-embedder-policy?label=master&label=experimental&aligned) and [COOP tests](https://wpt.fyi/results/html/cross-origin-opener-policy?label=master&label=experimental&aligned) on WPT). Safari does not ship these mechanisms today, but has [vaguely hinted at eventual COOP/COEP support](https://webkit.org/blog/11648/new-webkit-features-in-safari-14-1/#:~:text=until%20Safari%20supports,%20leaks.) publicly. Perhaps @hober has more information?

Note that the TAG review you pointed to in #464 is for a different feature entirely: the [`Origin-Agent-Cluster` header](https://html.spec.whatwg.org/multipage/origin.html#origin-keyed-agent-clusters), which indeed is only shipping in Chrome today (despite support from Mozilla to integrate it into HTML).

> Finally, has there been any relevant discussions in WebAppSec that we should know about?

We discussed this problem briefly in April (https://github.com/w3c/webappsec/blob/main/meetings/2021/2021-04-20-minutes.md#coi-deployment-challenges). Camille has fleshed out the proposal since then, and I'm hoping that we can make it a topic in an upcoming meeting. I'd happily invite y'all if you're interested.


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/649#issuecomment-878925504

Received on Tuesday, 13 July 2021 09:22:31 UTC