Re: [w3ctag/design-reviews] COEP reflection (Issue #742) from Arthur Sonzogni on 2022-07-24 (public-webapps-github@w3.org from July 2022)

From: Arthur Sonzogni <notifications@github.com>
Date: Sun, 24 Jul 2022 10:59:19 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/742/1193366248@github.com>

Sorry for the delay, I was on vacation. Thanks @mikewest for your post, and @plinss for your reply!
I wasn't expecting a push back on this feature. You provided nice question/arguments, let's see if I can provide the right ones in a reply:

> opt-in to older behaviors that may be more abusive to the end user.

Could you please let me understand why you believe the default COEP value may be abusive to the end user? I don't believe it is. This is key to the whole question.

We created `COEP:require-corp` and `COEP:credentialless`, as dependencies to access more powerful features like SharedArrayBuffer or high resolution timers.
The default `COEP:unsafe-none` is still used by 99.996% of top-level documents. I know 'unsafe' looks like a scary name. It was done purposefully as an incentive for developers to prefer the two other values, if they can. This would be 'unsafe' only in a context where access to SharedArrayBuffer or high resolution timer is granted, we don't do this. So that's fine unconditionally. If we did, the attacker could exploit the Spectre vulnerability with sufficient bandwidth and they might extract non public data without opt-in from weak cross-origin entities.

On the other side, COEP reflection is already polyfillable. If there was a reason not to expose this information, the battle would have been lost already. So not reflecting its own COEP state doesn't help anything.

You might now ask: Why a supported implementation is preferable to a ~polyfill? The polyfill requires sending some fetch() requests and observe the side effects of COEP:
- Waiting for fetch() implies **delays**. This is important for some developers to avoid wasting time.
- A fetch blocked by COEP issues a devtool **console error message**. Legitimate developers don't want the added noise.
- A fetch blocked by COEP issues a **report** for those using COEP reporting. Legitimate developers don't want noises in their alerts.
 
So, at best this is just annoying for legitimate developers, without preventing sufficiently motivated ones from accessing the information.

COEP:reflection is a part of [anonymous iframe](https://github.com/w3ctag/design-reviews/issues/639) whose goal is to allow more website to deploy COEP.

Is this somehow convincing?

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/742#issuecomment-1193366248
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/742/1193366248@github.com>

Received on Sunday, 24 July 2022 17:59:31 UTC