Hey folks,
The notion of cross-origin isolation (COI), achieved by setting both
Cross-Origin
Opener Policy
<https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy>
and Cross-Origin Embedder Policy
<https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy>,
is core to the web's ability to safely allow access to APIs which could
otherwise be used to leak cross-origin data. It's also quite complex to
reason about because its guarantees depend on multiple web-facing security
mechanisms (COOP, COEP, CORP, CORS) as well as non-web-exposed browser
features (e.g. process-level isolation & OOPIFs, CORB/CORB++).
I recently wrote down some thoughts to attempt to shed light on what COI
means from a security perspective, and what it means for application
developers, and wanted to get your feedback. I'd appreciate it if you could
take a look at one of the following:
1. Google doc (with comment access):
https://docs.google.com/document/d/1JBUaX1xSOZRxBk5bRNZWgnzyJoCQC52TIRokACBSmGc/edit
2. PDF (easier to read): https://arturjanc.com/coi-threat-model.pdf
I'm hoping for an open discussion about this, both when it comes to the
overall threat model (e.g. thoughts about the security consequences of a
resource entering a COI document), and your opinions about the direction
the web platform should take as a result (e.g. on the question of which COI
opt-in we should recommend: CORP, CORS, or both).
I believe Mike threatened to make me talk about this in the upcoming
WebAppSec meeting, so I'll give a brief overview then. But if you're
interested in this area, I'd recommend taking a quick look at the doc in
the meantime.
Cheers,
-Artur