design-reviews#464: Origin isolation

#464: Origin isolation

Opened Jan 14, 2020

Hello TAG!

I'm requesting a TAG review of origin isolation.

Origin isolation allows web developers to opt in to giving up certain cross-origin same-site access capabilities (namely synchronous scripting via document.domain, and postMessage()ing of WebAssembly.Module instances). This allows browsers to potentially segregate the origin into its own process. The developer can also provide hints to the browser as to why they are doing so, in the hopes of guiding the browser's process allocation.

Note that this opt in and the accompanying hints are delivered via origin policy (#127).

Explainer: https://github.com/WICG/origin-isolation/blob/master/README.md
Security and Privacy self-review: https://github.com/WICG/origin-isolation/blob/master/security-and-privacy.md
GitHub repo: https://github.com/WICG/origin-isolation
Primary contacts (and their relationship to the specification):
- Domenic Denicola (@domenic), Google, specifier
- W. James MacLean (@wjmaclean), Google, implementer
Organization/project driving the design: Chromium
External status/issue trackers for this feature (publicly visible, e.g. Chrome Status): https://chromestatus.com/feature/5683766104162304

Further details:

I have reviewed the TAG's API Design Principles
The group where the work on this design is being done (or is intended to be done in the future): WHATWG (for the portions that end up in the HTML spec); probably WebAppSec via WICG (for the portions that end up in the Origin Policy spec)
Existing major pieces of multi-stakeholder review or discussion of this design:
- The issue tracker
- Some TPAC discussion
- Mozilla standards positions repo issue, resulting in worth prototyping
Major unresolved issues with or opposition to this design: there is some discussion about surface syntax for the hints in https://github.com/WICG/origin-isolation/issues/18.
This work is being funded by: Google

We'd prefer the TAG provide feedback as (please delete all but the desired option):

🐛 open issues in our GitHub repo for each point of feedback

Discussions

Discussed Jan 13, 2020 (See Github)

Tess: assign me

Hadley: and me

Rossen: and me

David: some ties to Spectre mitigation

Peter and others discuss milestones for issues

Discussed Feb 10, 2020 (See Github)

Tess: Haven't managed to spend time on this yet. At high level sounds good to let origins opt out of features in general. Need to look at details. Push this out 2 weeks

Discussed Feb 24, 2020 (See Github)

Tess: no thoughts off-hand right now.

Rossen: some movement on this one - enaggement on Moz's position on this topic.

David: I think Anne has been involved in this.

[discussion on Moz's position]

Ken: [difficut to explain it to developers]

David: I think developers understand what a process boundary is...

Rossen: ...

Ken: some of these. .. difficult to understand...

Dan: concerns about overcomplicating the platform

David: prompted by Spectre mitigation

Ken: we need to come up with better names... make it easier to understand...

David: at some level the explanation is : if you want feature x you need to enable this flag and then you lose features y and z...

Ken: better documentation needed - e.g. on MDN...

Tess: sympathetic to the concern of making things easier for developers...

Ken: dev tools... to help developers...

Dan: can someone leave this feedback on the issue about simplification? I will see if I can raise that feedback in an informed way

Discussed Mar 23, 2020 (See Github)

Rossen: ... want to do a deeper review of this. The explainer is really good. Goes into some fairly detailed examples and overall proposal of the feature. We should certainly do our part and provide good feedback here. The work done by the team is solid. I don't know that we're going to have a lot to offer – but i want to take time to digest.

Peter: bump how long?

Rossen: I would give it a couple of weeks.

[moved to April 6

Discussed Apr 6, 2020 (See Github)

Rossen: this is a [big] proposal. Getting up to speed.

Tess: bump one week?

Dan: schedule a special breakout?

[scheduled between Rossen and Tess and left on this week

Comment by @domenic Apr 9, 2020 (See Github)

Hi TAG! A friendly ping for any thoughts you have here.

I'll note that the concept has been simplified a couple of times, first moving from origin policy to a header-based design, and today dropping the hints in favor of a simple boolean. We're hoping to start an origin trial in Chrome within the next 6 weeks for this new, simpler version.

Comment by @atanassov Apr 13, 2020 (See Github)

Hi @domenic! We did start the review just didn't write replies quickly enough, sorry.

The overall use case, feature proposal and explainer look great we have only few comments/questions (@hober will follow up with more).

As you've been working on this solution, have you considered and/or tried to make the feature behind a functional API rather than UACH? In other words, express hinting author needs via something more explicit like a web workers API that controls what will be in a separate process? In general I feel like explicit APIs are better than hinting as they give web developers better predictability.

Comment by @domenic Apr 13, 2020 (See Github)

I'm a bit unsure what your last paragraph is asking. How does it interact with the non-goals section in https://github.com/WICG/origin-isolation#objectives ? And what is UACH?

Comment by @atanassov Apr 27, 2020 (See Github)

Oh well, it seems like my reply from 10 days ago was just sitting in my edit box here :( sorry for delay.

Further, for whatever reason when reading and writing the comment to you I was thinking about User Agent Client Hints and referred to your response header additions as UACH.

As to the non-goals section you pointed out, I'm assuming you're referring to the 2nd point about 'Give web developers visibility into process allocation.". I did see this and also the first goal where you state the isolation is guaranteed and also "consistent web-developer-observable behavior regardless of implementation choices". This all led me think about this feature as better exposed through an explicit API, similar to web worker. Was that something you considered and rejected?

Again, sorry for the delay. Let's try and push this to completion soon.

Comment by @annevk Apr 28, 2020 (See Github)

By API do you mean something you call from JavaScript? How would that work?

Comment by @domenic Apr 28, 2020 (See Github)

This all led me think about this feature as better exposed through an explicit API, similar to web worker. Was that something you considered and rejected?

I too am confused by what feature you're referring to. The consistent web-developer behavior that origin isolation gives is allowing developers to opt in to the removal of some edge-case functionality (document.domain and sending WebAssembly.Modules to cross-origin same-site destinations). Are you using "this feature" to refer to those removals? What would an explicit API for those removals look like?

Comment by @dbaron May 28, 2020 (See Github)

So one thing that I found difficult reading the explainer is that it makes a number of references to documents that are cross-origin and same-site. After reading the definitions of these concepts I think this is something that can result from use of document.domain, although I'm not particularly confident given that I didn't find a formal definition of "cross origin" (I found "same origin" and "same origin-domain"). Given the frequent references to documents that are cross-origin and same-site, it might be good if the explainer gave a brief summary of what that means so that it doesn't require digging through the definitions to understand it.

Comment by @annevk May 29, 2020 (See Github)

We should maybe define cross-origin as meaning "not same origin" and cross-site as meaning not https://html.spec.whatwg.org/#same-site as they are often used in less formal settings. But yeah, the minimal process boundary for browsers is a site, not an origin, due to document.domain. And origin isolation as well as COOP+COEP try to change that largely by disabling document.domain but also by shrinking the agent cluster boundary.

Comment by @domenic May 29, 2020 (See Github)

A simple example of two pages that are cross-origin but same-site are https://www.example.com and https://example.com. (no document.domain involved.) I'll add this to the explainer.

Discussed Jun 22, 2020 (See Github)

Peter: missing Tess and Hadley...

Rossen: summarizing... the issue was looked at by myself and Tess... during one of our breakouts. A the time when we looked at it we did an analysis. It looks like the proposal is good and going the right direction. We had some followup questions - one was what is the actual API going to look like. One idea was to explore an API ideally on the window object document.domain. Turns out that was one of things they wanted to remove instead of adding the API there. I still need to add a comment and close that conversation. During the virtual f2f, David gave it a quick read and found some concept inconsistencies... Anne and Domenic proposed some changes to the explainer and some examples. I think what they are proposing sounds good. I don't think there's a lot left to get us to close on this. We could move this to "proposed closing"? Hopefully Tess will have a chance to give her view.

David: I read the replies - it makes sense.

Dan: I can ping Hadley about it

Discussed Jun 29, 2020 (See Github)

Rossen: we were more or less ready to sign off but wanted Tess to take a look. At the time we convinced ourselves this was good. Not much has changed.

Tess: I'm happy to trust that.

Rossen: David do you have additional feedback?

David: no. Other than that definitions could be improved a little bit - they are aware.

Rossen: I'll write up a summary and propose-close it for the plenary.

UPDATE: Wrote the following comment and closed the review

<blockquote> We reviewed this proposal one more time during our June 29 breakout. At this point we are happy to see it continue to evolve with the HTML community.

@dbaron issue about clarifying the concepts of cross-origin and same-site seems well handled.

@atanassov (my) issue about exposing the functionality behind an API such as document.domain has been self-answered after re-reading the explainer and your additional comments, thus, I consider it non-issue at this point.

Given all issues have been address to our satisfaction, closing the review.

</blockquote

Comment by @atanassov Jul 1, 2020 (See Github)

We reviewed this proposal one more time during our June 29 breakout. At this point we are happy to see it continue to evolve with the HTML community.

@dbaron issue about clarifying the concepts of cross-origin and same-site seems well handled.

@atanassov (my) issue about exposing the functionality behind an API such as document.domain has been self-answered after re-reading the explainer and your additional comments, thus, I consider it non-issue at this point.

Given all issues have been address to our satisfaction, closing the review.

Comment by @domenic Dec 11, 2020 (See Github)

FYI, we are planning to rename the feature to "origin-keyed agent clusters" (the header would be Origin-Agent-Cluster), as we encountered folks who thought that "isolation" meant security guarantees. See more details in https://github.com/whatwg/html/issues/6192.

Comment by @kenchris Dec 11, 2020 (See Github)

I support that rename