Re: [w3ctag/design-reviews] Anonymous iframes (#639) from Arthur Sonzogni on 2021-09-21 (public-webapps-github@w3.org from September 2021)

From: Arthur Sonzogni <notifications@github.com>
Date: Tue, 21 Sep 2021 04:59:54 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/639/923912707@github.com>

> But what user need is being served by the use of SharedArrayBuffer *in this context* that this set of mitigations is aimed at securing

SharedArrayBuffer availability in the context of an anonymous iframe is not really updated by this proposal.
This is more about using SAB on the main document, which is not anonymous.

Let me explain why I believe anonymous iframe is useful to developers and end users:

1. End users needs performant websites.
2. Some developers get performant website, by using multithreading/SharedArrayBuffer on the main document.
3. To mitigate Spectre attacks, Web browsers (Chrome, Firefox, Safari ([soon](https://twitter.com/chris_dumez/status/1438704753156890624))) gate SharedArrayBuffer usage behind the crossOriginIsolated capability. This requires COOP and COEP.
4. COEP requirement is recursive: 3rd party iframes are required to deploy COEP in order to be embeddable inside a COEP parent.
5. Waiting for 3rd party to deploy COEP is painful for developers. Most of the time this is out of their control. Anonymous iframe removes the need to wait for 3rd party to update their website, at the cost of loading them using an ephemeral storage partition.

So anonymous iframe is helpful to developers, because they allow the top-level document to deploy crossOriginIsolation **and** keep embedding their 3rd party iframes.

Hoping to have answered the right question.

---

I made a quick online search. Here are some example of users who would see their problems addressed by this proposal:
- https://stackoverflow.com/questions/68654550/cross-origin-embedder-policy-how-to-allow-only-certain-domains
- https://twitter.com/DenisTRUFFAUT/status/1366506319990112259
- https://support.google.com/chrome/thread/117100049/cross-origin-isolation-for-part-of-the-document-and-not-the-whole-page?hl=en
- https://community.auth0.com/t/use-spa-sdk-with-cross-origin-embeder-policy/57285

--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/639#issuecomment-923912707

Received on Tuesday, 21 September 2021 12:00:07 UTC