Hey folks, The notion of cross-origin isolation (COI), achieved by setting both Cross-Origin Opener Policy <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy> and Cross-Origin Embedder Policy <https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy>, is core to the web's ability to safely allow access to APIs which could otherwise be used to leak cross-origin data. It's also quite complex to reason about because its guarantees depend on multiple web-facing security mechanisms (COOP, COEP, CORP, CORS) as well as non-web-exposed browser features (e.g. process-level isolation & OOPIFs, CORB/CORB++). I recently wrote down some thoughts to attempt to shed light on what COI means from a security perspective, and what it means for application developers, and wanted to get your feedback. I'd appreciate it if you could take a look at one of the following: 1. Google doc (with comment access): https://docs.google.com/document/d/1JBUaX1xSOZRxBk5bRNZWgnzyJoCQC52TIRokACBSmGc/edit 2. PDF (easier to read): https://arturjanc.com/coi-threat-model.pdf I'm hoping for an open discussion about this, both when it comes to the overall threat model (e.g. thoughts about the security consequences of a resource entering a COI document), and your opinions about the direction the web platform should take as a result (e.g. on the question of which COI opt-in we should recommend: CORP, CORS, or both). I believe Mike threatened to make me talk about this in the upcoming WebAppSec meeting, so I'll give a brief overview then. But if you're interested in this area, I'd recommend taking a quick look at the doc in the meantime. Cheers, -Artur
Received on Friday, 15 January 2021 18:01:01 UTC