Re: [w3ctag/design-reviews] Document-Isolation-Policy (Issue #995) from Camille Lamy on 2025-04-03 (public-webapps-github@w3.org from April 2025)

From: Camille Lamy <notifications@github.com>
Date: Thu, 03 Apr 2025 06:08:34 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/995/2775734681@github.com>

camillelamy left a comment (w3ctag/design-reviews#995)

Hi @martinthomson,

1) A real world example I can give you is a compute heavy application like a spreadsheet, a video conference app or a video game that is looking to improve its performance by taking advantage of the concurrency offered by SharedArrayBuffers and WASM threads (concurrency does offer significant speed ups to compute heavy applications). At the same time those applications might use SSO authentication or payment flows that are popup based and they can't easily change that. Or they might embed third-party iframes (for example ads for monetization, or some enterprise set ups allow companies to customize web app and add their own frames to the spreadsheet app). What we've found is that it's really hard to deploy crossOriginIsolation whenever a page interacts with thrid-party content, since the interaction might not work anymore or it might require a lot of work from third-party developers. And just dropping requirements on SharedArrayBuffers has security issues. So we want compute heavy applications to be able to use concurrency through SharedArrayBuffers to improve their performance, without having to rely on 3rd party content they interact with having to do any work.

2) The trade-offs are around the process model allocation the browser vendors will use to back this. Basically, to make it work you need to process isolate the documents that have requested Document-Isolation-Policy, which requires the use of Out-Of-Process Iframes. Whereas the original COOP+COEP model was designed to work with only page level isolation. In some cases, it might lead to increased memory consumption. That said, process isolation is not actually mandated by the spec, because we do not wish to specify the implementation of process model for browser vendors. It is simply the suggestion of the authors that this is a safe way to implement the API. Not implementing it in that way would increase the risk of XS-Leaks attacks.

3) Yes, as part of the OriginTrial on Chrome, we have been working with several developers who find it much easier to gain access to SharedArrayBuffers using DocumentIsolationPolicy. This has been the case for Zoom, Gmail, Google Meet and Google Earth. Basically, large applications have a lot of cross-origin iframes, and it has been hard for the applications to get the iframes to deploy COEP. The interaction with SSO logging flows through popups was also a blocker for a number of those websites.

--
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/995#issuecomment-2775734681
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/995/2775734681@github.com>

Received on Thursday, 3 April 2025 13:08:38 UTC