[w3ctag/design-reviews] COEP reflection (Issue #742) from Arthur Sonzogni on 2022-05-31 (public-webapps-github@w3.org from May 2022)

From: Arthur Sonzogni <notifications@github.com>
Date: Tue, 31 May 2022 05:20:00 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/742@github.com>

Bonjour le TAG!

I'm requesting a Early design review of [COEP reflection](https://github.com/ArthurSonzogni/coep-reflection).

### Description 
Add the API:
```js
self.crossOriginEmbedderPolicy;
```
It reflects the environment's [cross-origin-embedder-policy](https://html.spec.whatwg.org/multipage/origin.html#coep)'s value.

The possibles values are: `unsafe-none`, `credentialless`, and `require-corp`.

### Question for w3ctag

The initial design is to add the API as part of the global object, similarly to the pre-existing `crossOriginIsolated`:
```js
window.crossOriginIsolated         [pre-existing]
window.crossOriginEmbedderPolicy   [new]
```

Should we continue adding API one by one here? @mikewest [suggested](https://github.com/whatwg/html/issues/7912#issuecomment-1123407921) this could potentially be nested behind `window.policies` since COEP is part of the [policy container](https://html.spec.whatwg.org/multipage/origin.html#policy-containers). It might also make sense. WDYT?

### Links
  - Explainer: [URL](https://github.com/ArthurSonzogni/coep-reflection)
  - Specification: https://github.com/whatwg/html/pull/7948

  - Tests: [/html/cross-origin-embedder-policy/reflection-*](https://wpt.fyi/results/html/cross-origin-embedder-policy?label=master&label=experimental&aligned&q=reflection)
  - User research: None. This affects JS developers.
  - Security and Privacy self-review²: [URL](https://github.com/ArthurSonzogni/coep-reflection/blob/main/security-privacy-questionnaire.md)
  - GitHub repo: [URL](https://github.com/ArthurSonzogni/coep-reflection)
  - Primary contacts: [Arthur Sonzogni](https://github.com/ArthurSonzogni) (@ArthurSonzogni), Google
  - Organization(s)/project(s) driving the specification: Google.
    It is intended to be part of the [HTML specification](https://github.com/whatwg/html) project.
  - External status/issue trackers for this specification (publicly visible, e.g. Chrome Status): https://chromestatus.com/feature/5074103873568768


### Further details:

  - [X] I have reviewed the TAG's [Web Platform Design Principles](https://www.w3.org/TR/design-principles/)
  - The group where the incubation/design work on this is being done (or is intended to be done in the future): This is a simple [HTML PR](https://github.com/whatwg/html/pull/7948). Should I move the explainer toward WICG?
  - The group where standardization of this work is intended to be done ("unknown" if not known): Unknown.
  - Existing major pieces of multi-stakeholder review or discussion of this design: This was initially discussed here: https://github.com/whatwg/html/issues/7912

  - Major unresolved issues with or opposition to this design: No opposition. However, an interrogation about [where the API should be located](https://github.com/ArthurSonzogni/coep-reflection#questions).
  - This work is being funded by: Google

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/742

You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/742@github.com>

Received on Tuesday, 31 May 2022 12:20:13 UTC