[w3ctag/design-reviews] Document-Isolation-Policy (Issue #995) from Camille Lamy on 2024-09-18 (public-webapps-github@w3.org from September 2024)

From: Camille Lamy <notifications@github.com>
Date: Wed, 18 Sep 2024 06:30:32 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/995@github.com>
こんにちは TAG-さん!

I'm requesting a TAG review of Document-Isolation-Policy.

Developers want to build applications that are fast using [SharedArrayBuffers](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer) (SAB), which can improve computation time by ~40%. But SharedArrayBuffers allow to create high-precision timers that can be exploited in a [Spectre](https://en.wikipedia.org/wiki/Spectre_(security_vulnerability)) attack, allowing to leak cross-origin user data. To mitigate the risk, SharedArrayBuffers are gated behind [crossOriginIsolation](https://developer.mozilla.org/en-US/docs/Web/API/crossOriginIsolated) (COI). CrossOriginIsolation requires to deploy both [Cross-Origin-Opener-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy) (COOP) and [Cross-Origin-Embedder-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy) (COEP). Both have proven hard to deploy, COOP because it prevents communication with cross-origin popups, and COEP because it imposes restrictions on third-party embeds. Finally, the whole COOP + COEP model is focused on providing access to SharedArrayBuffers to the top-level frame. Cross-origin embeds can only use SABs if their embedder deploys crossOriginIsolation and delegates the permission to use COI-gated APIs, making the availability of SABs in third-party iframes very unreliable.

Document-Isolation-Policy, is proposing to solve these deployment concerns by relying on the browser [Out-of-Process-Iframe](https://www.chromium.org/developers/design-documents/oop-iframes/) capability. It will provide a way to securely build fast applications using SharedArrayBuffers while maintaining communication with cross-origin popups (needed for OAuth and payment flows) and not requiring extra work to embed cross-origin iframes. Finally, it will be available for embedded widgets as well as top-level frames, allowing to build efficient compute heavy widgets that are embedded across a variety of websites (e.g. photo library, video conference iframe, etc….

  - Explainer: https://github.com/WICG/document-isolation-policy
  - Specification: https://wicg.github.io/document-isolation-policy/
  - WPT Tests: https://wpt.fyi/results/html/document-isolation-policy?label=experimental&label=master&aligned
  - User research:
  - Security and Privacy self-review: https://github.com/WICG/document-isolation-policy/blob/main/security_privacy_self_review.md
  - GitHub repo: https://wicg.github.io/document-isolation-policy/
  - Primary contacts:
      - Camille Lamy (@camillelamy), Google, spec author
  - Organization/project driving the specification: Google
  - Multi-stakeholder support:
    - Chromium comments: We are excited to start trialing this API with developers through origin trials.
    - Mozilla comments: https://github.com/mozilla/standards-positions/issues/1074
    - WebKit comments: https://github.com/WebKit/standards-positions/issues/399
    - Positive feedback from developer on the initial [WICG proposal](https://github.com/WICG/proposals/issues/145).
  - Status/issue trackers for implementations:
    - Chromium: https://chromestatus.com/feature/5141940204208128

Further details:

  - [x] I have reviewed the TAG's [Web Platform Design Principles](https://www.w3.org/TR/design-principles/)
  - The group where the work on this specification is currently being done: WICG
  - The group where standardization of this work is intended to be done (if different from the current group): WHATWG
  - Major unresolved issues with or opposition to this specification:
  - This work is being funded by: Google

You should also know that...

This proposal is solving the same issues as our previous proposal [COOP: restrict-properties.](https://github.com/w3ctag/design-reviews/issues/760) This new proposal is meant to replace the old one.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/995
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/995@github.com>
Received on Wednesday, 18 September 2024 13:30:36 UTC