#760: COOP: restrict-properties early review
Discussions
2022-10-17
Dan: Previous review: https://github.com/w3ctag/design-reviews/issues/649 - lots of issues raised regarding complexity. What has changed? No signal about multi stakeholder. Not clear how they've addressed feedback from our first request. leaves comment
2022-11-14
Max: Dan asked what's different with 649 but we haven't got a response. Looks very similar.
Dan: security review is not complete
2022-11-28
Dan: their feedback
Max: In the last sentence - they said they'll come back and provide more info based on the trial.
Dan: should we wait for their response?
Max: they suggested that the trial will give a better understanding. Probably we can wait for more information, then discuss with more information.
2023-02-27
Max: Some feedback from them. They updated the explainer. In the new explainer - from other browsers there is no signal... Not sure whetehr there is a concern.
Dan: comment about a new spec concept, coop group, is interesting.. trying to address developer complexity, is good
Max: there is a diagram explaining coop group.. within this new coop group pages can have async acccess ...
Dan: user need...? Some discussion on user needs in previous issue... and here.
Dan: taking a look here .. is it unreasonable to ask for a paragraph of user needs before this paragraph?
Amy: it is OK.
<blockquote> Hi @hemeryar we're happy to help. However (and I apologize if I sound like a broken record here) but I'm still missing discussion of *user need* in this explainer. What I guess I am looking for is a paragraph before https://github.com/hemeryar/coi-with-popups#why-does-crossoriginisolated-require-coop-same-origin (before the paragraph that starts "because of Spectre") that says something along the lines of "a common web usage pattern is this: users try to accomplish xxx goals; web sites use yyy technologies to create a user experience to service these goals. ZZZ information is exchanged in the following ways.... Because of Spectre this is put at risk in the following ways..."I appreciate that this work is solving an important set of security problems for the web - however part of the TAG review is necessarily to understand how it fits into the overall set of user needs of the web platform.
</blockquote>Amy: we want to understand this at a higher level so we can see if there are conflicts or related or overlapping work going on elsewhere in another group that this group isn't aware of.. so we can link them up and make sure they're not going to get in each others way...
2023-03-13
Dan: I asked them to provide some user needs
Tess: but they provided you developer needs instead
Tess: left a comment to that effect
2023-04-tokyo
Peter & Tess worried (yet again) about how, in a post-Spectre world, there are many knobs web developers / web server operators need to turn in order to regain access to features like SharedArrayBuffer, and with proposals like this it feels like we keep adding more knobs.
It would be great if there were a one-stop-shop document that spells out, in as straightforward a manner as possible, what a web developer needs to do, and for such a document to be maintained as more knobs get added. Perhaps we should spin up a TAG task force to do this? Perhaps such a task force could also tackle Overall review of features which enable/disable subframe or subresource capabilities #525…
2023-05-22
Dan: they got back to us with user needs - it looks better.
Max: could be more detail in the user neeeds.
Dan: Drafts comment
Dan: Developer complexity also an important issue here...
2023-05-29
Max: they have not answered the multi-stakeholder question
Dan: I raised this with Chris Harrelson at Google last week.
Max: the user need is important - we've spent a lot of time in discussion with the authors regarding the user need. Regarding the solution: if there is this kind of complexity it needs some very strong user requirement as justification. That is my feeling. It's an optimization regarding the current cross-origin policy... For the user needs section we've asked authors to clarify. They gave some examples from the developer perspective. From the user needs perspective.. not as clear. I agree with the previous comment. If there are some more concrete user needs it would be good. And multi-stakeholder is very important.
Dan: yes - what is holding back other implementers from embracing this approach? So far no signals in WebKit or Mozilla standards positions.
2024-01-london
dan leaves a comment since it looks like this may have been overtaken by another proposal
2024-03-18
Max: they have indicated they will modify their proposal. https://github.com/w3ctag/design-reviews/issues/760#issuecomment-1934474449
Dan: leaves a comment acking their response. https://github.com/w3ctag/design-reviews/issues/760#issuecomment-2003485944
OpenedJul 27, 2022
Wotcher TAG!
I'm requesting a TAG review of a new value for Cross-Origin-Opener-Policy: "restrict-properties".
This is the second iteration of trying to have crossOriginIsolated while interacting with cross-origin popups. The goal is still the same: be able to benefit from powerful APIs like SharedArrayBuffer without breaking interaction with cross-origin popups like Auth flows or payments.
Further details:
You should also know that...
[please tell us anything you think is relevant to this review]
We'd prefer the TAG provide feedback as : 💬 leave review feedback as a comment in this issue and @-notify [hemeryar]