Yes, the scripts are loaded using CORS. On Tue, Jul 23, 2024 at 5:16 AM Jonathan Hao <[email protected]> wrote:
> Hi Cammie, > > A question from the security reviewers: Do cross-origin worklet scripts by > addModule have the same protection as a cross-origin <script> (such as > CORS)? > > Best, > Jonathan > > On Wednesday, July 17, 2024 at 8:30:38 PM UTC+1 Cammie Smith Barnes wrote: > >> Contact emails >> >> [email protected], [email protected], [email protected], >> [email protected] >> >> Explainer >> >> https://github.com/WICG/shared-storage/blob/main/README.md >> >> Specification >> >> https://github.com/WICG/shared-storage/pull/161 >> >> Summary and Motivation >> >> We have received feedback from developers stating they wanted to be able >> to host and run their worklet script on a separate origin (e.g., a cdn) >> from the origin that owns and writes their shared storage data. Therefore, >> we’re removing the same-origin restriction for addModule worklet scripts. >> Note that, when the worklet script is cross-origin to the invoking context, >> the invoking context's origin is still used as the partition origin for >> accessing shared storage. >> >> We also made a second change, which is to align the new >> sharedStorage.createWorklet API (shipped in M125) with addModule to use the >> calling context’s origin as the data origin by default (instead of the >> script’s origin as the data origin). This is a breaking change, and we >> discuss our mitigations below. >> >> Blink component >> >> Blink>Storage>SharedStorage >> <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EStorage%3ESharedStorage> >> >> Initial public proposal >> >> https://github.com/WICG/shared-storage/pull/158 >> >> TAG review >> >> None >> >> TAG review status >> >> We asked >> <https://github.com/w3ctag/design-reviews/issues/747#issuecomment-2075450880> >> if they’d like to see follow-up changes to shared storage given its >> unsatisfied status, and have not received a response. We take the lack of >> response as a signal that they would not like to be made aware of >> subsequent changes. >> >> Risks >> >> Interoperability and Compatibility >> >> There are no interop risks as no other browser has implemented shared >> storage. There is a compat risk for the recently released createWorklet >> API. The worklet created by createWorklet before this change had the data >> partition of the script’s origin. We’re changing it, to align with >> addModule, to use the calling context’s origin instead. We’re monitoring >> usage here >> <https://chromestatus.com/metrics/feature/timeline/popularity/5007> of >> the existing API and reaching out to folks using it to let them know that >> they should make the following forward-compatible change if they want the >> existing default behavior of createWorklet to continue to function after >> this change: >> >> before: sharedStorage.createWorklet(worklet_url); >> >> after: sharedStorage.createWorklet(worklet_url, { dataOrigin: >> “script-origin” }); >> >> The dataOrigin option will be ignored on browsers previous to this >> change, and honored correctly after. >> >> We have created a use counter for usage of createWorklet without the >> forward-compatible dataOrigin option so that we will know when it’s safe to >> make this change. We are also monitoring usage of addModule with scripts >> that are cross-origin to the calling context here >> <https://chromestatus.com/metrics/feature/timeline/popularity/5028>, as >> those will suddenly work when they did not before which could be surprising >> to developers. >> >> >> Gecko: No signal >> >> WebKit: No signal >> >> Web developers: No signals >> >> Other signals: >> >> WebView application risks >> >> Does this intent deprecate or change behavior of existing APIs, such that >> it has potentially high risk for Android WebView-based applications? >> >> None >> >> >> Debuggability >> >> None >> >> Is this feature fully tested by web-platform-tests >> <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> >> ? >> >> Not yet >> >> Flag name on chrome://flags >> >> None >> >> Finch feature name >> >> SharedStorageCrossOriginScript >> >> Non-finch justification >> >> None >> >> Requires code in //chrome? >> >> False >> >> Estimated milestones >> >> M129 >> >> >> Link to entry on the Chrome Platform Status >> >> https://chromestatus.com/feature/6531477832204288 >> <https://chromestatus.com/feature/6531477832204288?gate=4670064239050752> >> >> This intent message was generated by Chrome Platform Status >> <https://chromestatus.com/>. >> >> -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAJ8xcq5qPJdR3sNWKC7pkVQ%2BZiNsSQWcz%3DWgqc24HxBg_%3DWK6A%40mail.gmail.com.
