Design Review #527

#527: Cross-origin opener policy reporting API

Opened Jun 18, 2020

Saluton TAG!

I'm requesting a TAG review of Cross-origin opener policy API.

We want to provide a reporting API for cross-origin opener policy (COOP) to help developers deploy it on their websites. In addition to reporting breakages when COOP is enforced, we want to provide a report-only mode for COOP. The report-only mode for COOP will not enforce COOP, but it will report potential breakages that would have happened had we enforced COOP.

Explainer: https://github.com/camillelamy/explainers/blob/master/coop_reporting.md
Security and Privacy self-review: Inside the explainer.
Primary contacts:
- Camille Lamy: Google, Chromium implementer
Organization/project driving the design: Chromium
External status/issue trackers for this feature: Chrome Status, Chrome issue

Further details:

I have reviewed the TAG's API Design Principles
The group where the incubation/design work on this is being done: WHATWG
The group where standardization of this work is intended to be done: WHATWG
Existing major pieces of multi-stakeholder review or discussion of this design: GitHub issue
Major unresolved issues with or opposition to this design:
This work is being funded by: Google

You should also know that...

[please tell us anything you think is relevant to this review]

We'd prefer the TAG provide feedback as (please delete all but the desired option): 🐛 open issues in our GitHub repo for each point of feedback

Thank you! Camille

Discussions

Comment by @mikewest Jun 19, 2020 (See Github)

@torgo: We're filing this a bit later than we should have, but it would be helpful to get y'all's eyes on it sooner rather than later, as our implementation is underway, and we think it's on the critical path for deployment of this isolation primitive at scale (which, in turn, is blocking our ability to deprecate unsafe usage of SharedArrayBuffer-likes). Thanks!

Discussed Jun 22, 2020 (See Github)

[many

Discussed Jun 29, 2020 (See Github)

Yves: I was a bit concerned that there is already a CSP reporting - so many instead of creating a new header, reuse it?

Peter: there are other reporting APIs as well. we gave them feedback - as long as it's separate, I'm OK with it being a new header. HPKP has the same thing.

Yves: that's just at the HTTP level, not a JS API

Peter: true. The point of this header isn't to generate a report...

Yves: It's reporting what will be blocked but don't block anything. Apart from the point I made about CSP - seems OK to have that kind of thing. Good section on how not to leak private information or leak info to 3rd parties.

Peter: they went through a lot of work to figure out what can and should be reported...

Dan: Why is this whatwg and not webappsec?

Yves: cross origin opener policy is defined in Fetch...

Tess: what is the relationship between this reporting API and the reporting API defined by the web performance working group?

Yves: that also uses structured headers... so could be a good match.

Peter: it's not just the fact you want to report but you want to get a report as if the cross-origin policy is on. You need to have a report-only mode. You could put is a switch in the one header and not have 2 headers... Useful to have reports one way or the other...

Yves: related to secure context as well...

David: [summarizing] opting into a stricter model so browsers can have better guarantees about site isolation - because of SPECTRE

Comment by @plinss Jun 29, 2020 (See Github)

I understand there's the precedent with CSP, but curious if there's another reason this is a separate header rather than a report-only flag on the normal COOP header?

Comment by @mikewest Jun 30, 2020 (See Github)

We think it's valuable to be able to report upon one policy, while enforcing another. This gives folks the ability to migrate from the weaker same-origin-allow-popups to the stricter same-origin by enforcing the former, and reporting upon the latter. Once they drive the reports down to a point at which they're happy, they can enforce the latter.

It's certainly plausible to obtain this result by specifying the reported policy via a syntax that jammed everything into one header. I think we've taken a multi-header approach here (and in COEP) simply for consistency with things like CSP rather than any practical reason unique to this mechanism.

Comment by @annevk Jul 1, 2020 (See Github)

(It's not just consistency. It's also extensibility. If the policies would become more complex than an enum value that might become quite hard to handle.)

Discussed Jul 13, 2020 (See Github)

Peter: primary feedback was yet another header...

[bumped to B

Comment by @plinss Sep 22, 2020 (See Github)

Thanks for the responses, we discussed this further and agree with the use case for a separate header. We're also fine with the current design.

Closing this as satisfied, thanks for flying TAG.