Design Review #527

#527: Cross-origin opener policy reporting API

Opened Jun 18, 2020

Saluton TAG!

I'm requesting a TAG review of Cross-origin opener policy API.

We want to provide a reporting API for cross-origin opener policy (COOP) to help developers deploy it on their websites. In addition to reporting breakages when COOP is enforced, we want to provide a report-only mode for COOP. The report-only mode for COOP will not enforce COOP, but it will report potential breakages that would have happened had we enforced COOP.

Explainer: https://github.com/camillelamy/explainers/blob/master/coop_reporting.md
Security and Privacy self-review: Inside the explainer.
Primary contacts:
- Camille Lamy: Google, Chromium implementer
Organization/project driving the design: Chromium
External status/issue trackers for this feature: Chrome Status, Chrome issue

Further details:

I have reviewed the TAG's API Design Principles
The group where the incubation/design work on this is being done: WHATWG
The group where standardization of this work is intended to be done: WHATWG
Existing major pieces of multi-stakeholder review or discussion of this design: GitHub issue
Major unresolved issues with or opposition to this design:
This work is being funded by: Google

You should also know that...

[please tell us anything you think is relevant to this review]

We'd prefer the TAG provide feedback as (please delete all but the desired option): 🐛 open issues in our GitHub repo for each point of feedback

Thank you! Camille

Discussions

2020-06-22

Minutes

[many

2020-06-29

Minutes

Yves: I was a bit concerned that there is already a CSP reporting - so many instead of creating a new header, reuse it?

Peter: there are other reporting APIs as well. we gave them feedback - as long as it's separate, I'm OK with it being a new header. HPKP has the same thing.

Yves: that's just at the HTTP level, not a JS API

Peter: true. The point of this header isn't to generate a report...

Yves: It's reporting what will be blocked but don't block anything. Apart from the point I made about CSP - seems OK to have that kind of thing. Good section on how not to leak private information or leak info to 3rd parties.

Peter: they went through a lot of work to figure out what can and should be reported...

Dan: Why is this whatwg and not webappsec?

Yves: cross origin opener policy is defined in Fetch...

Tess: what is the relationship between this reporting API and the reporting API defined by the web performance working group?

Yves: that also uses structured headers... so could be a good match.

Peter: it's not just the fact you want to report but you want to get a report as if the cross-origin policy is on. You need to have a report-only mode. You could put is a switch in the one header and not have 2 headers... Useful to have reports one way or the other...

Yves: related to secure context as well...

David: [summarizing] opting into a stricter model so browsers can have better guarantees about site isolation - because of SPECTRE

2020-07-13

Minutes

Peter: primary feedback was yet another header...

[bumped to B