On Wed, Jan 15, 2014 at 1:23 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Tue, Jan 14, 2014 at 6:46 PM, Nasko Oskov <nasko@chromium.org> wrote: > > In a pop-up window, the navigation is actually top level. The reason for > it > > not working though is that windows with synchronous scripting > relationships > > must stay in the same renderer process, hence they cannot use different > > storage partitions. This causes the user to have to login in a pop-up for > > each isolated origin, which defeats the purpose of origin isolation. > > Could we isolate these similar to <iframe>? Perhaps with a new API? > It will have to be a new API or modification to window.open, otherwise we risk breakage. There is a hack we have in Chromium to work around this, but having a proper API will be best. We have proposed this in the past, but didn't go far: http://wiki.whatwg.org/wiki/Links_to_Unrelated_Browsing_Contexts. > > While a[t] this, I should mention that we do not isolate on the basis of > > origins, rather on the concept of "site". It includes the scheme and the > > registered domain name, so relaxing origin through document.domain is not > > broken. It excludes subdomains and port numbers. > > It seems that if a site opts into this better security model, we could > go and disable document.domain... > While it does sound good in theory, I wonder how well it will fare in practice. If a site wants the protection, but cannot refactor in reasonable timeframe to avoid document.domain, then they will be missing on a very useful protection. Another issue is how the UI messages this to the user, without very quickly bringing confusion with "multiple partitions". This is one of the reasons we decided not to implement partitions for the open web.
Received on Wednesday, 15 January 2014 18:53:15 UTC