LGTM1. Excited to see this happening. On Monday, September 16, 2024 at 12:23:09 AM UTC-7 Yoav Weiss wrote:
> Contact emailsyoavwe...@chromium.org > > Explainer > https://gist.github.com/yoavweiss/c7b61e97e6f8d207be619f87ab96ead5 > > Specificationhttps://github.com/whatwg/html/pull/10394 > > The PR hasn't landed yet, but I believe it is ready to land (% potential > nits). > I'm not aware of any open issues. > > Summary > > Some origins can contain different applications with different levels of > security requirements. In those cases, it can be beneficial to prevent > scripts running in one application from being able to open and script pages > of another same-origin application. In such cases, it can be beneficial for > a document to ensure its opener cannot script it, even if the opener > document is a same-origin one. The `noopener-allow-popups` > Cross-Origin-Opener-Policy value will allow documents to define that. > > > Blink componentBlink > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink> > > TAG reviewhttps://github.com/w3ctag/design-reviews/issues/964 > > TAG review statusIssues addressed > > Risks > > > Interoperability and Compatibility > > Compatibility risk: As this feature adds a new COOP value, it doesn't run > a risk of colliding with existing values. Where we may see some risk is > when developers start using this value in ways that would surprise other > teams on their origins. (as they would no longer have scripting access to > opened documents) I don't expect that to happen often, and if it would it's > something that developers would find out at development time. So I don't > expect that to impact users. Interoperability risk: WebKit's positive > position makes me optimistic that I'd be able to land the feature there > <https://github.com/WebKit/WebKit/pull/30344> as well. > > > *Gecko*: No signal ( > https://github.com/mozilla/standards-positions/issues/1037) > > *WebKit*: Support ( > https://github.com/WebKit/standards-positions/issues/360) > > *Web developers*: No particular signals, other than the fact that Shopify > is interested in this. > > *Other signals*: > > Security > > No particular issues: > https://gist.github.com/yoavweiss/3cb7283f56717f6dfe6da05009a27a65 > > > The main risk is having developers over rely on the protections this would > provide. Input from Chrome and Google security folks led to the inclusion > of a spec note > <https://whatpr.org/html/10394/browsers.html#cross-origin-opener-policies:top-level-browsing-context-6> > > warning developers against it and indicating what else they'd need to do > for more holistic isolation of same-origin documents from others. > > > I'm planning to add a similar note to developer-facing docs > <https://github.com/mdn/mdn/issues/579>. > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > None > > > Debuggability > > None > > > Will this feature be supported on all six Blink platforms (Windows, Mac, > Linux, ChromeOS, Android, and Android WebView)?Yes > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ?Yes > > > https://wpt.fyi/results/html/cross-origin-opener-policy/tentative/noopener/coop-noopener-allow-popups.https.html?label=experimental&label=master&aligned > > > The test doesn't pass on the bots as the feature is disabled using a base > feature flag (and no runtime flag). > > Flag name on chrome://flagsNone > > Finch feature nameCoopNoopenerAllowPopups > > Requires code in //chrome?False > > Tracking bughttps://issues.chromium.org/issues/344963946 > > Measurement > https://chromestatus.com/metrics/feature/timeline/popularity/5029 > https://chromestatus.com/metrics/feature/timeline/popularity/5030 > > Estimated milestones > Shipping on desktop 131 > Shipping on Android 131 > Shipping on WebView 131 > > Anticipated spec changes > > Open questions about a feature may be a source of future web compat or > interop issues. Please list open issues (e.g. links to known github issues > in the project for the feature specification) whose resolution may > introduce web compat/interop risk (e.g., changing to naming or structure of > the API in a non-backward-compatible way). > > > No open questions ATM. > > Link to entry on the Chrome Platform Status > https://chromestatus.com/feature/5163293877731328?gate=4905084336209920 > > Links to previous Intent discussionsIntent to Prototype: > https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSJj33d%3D0B0tNpD0qrYWzygx0i02bWdhbV3aSCgbjS3Ndw%40mail.gmail.com > > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/24c89356-98aa-4503-83d1-a015c5ab7f1cn%40chromium.org.
