Re: [blink-dev] Re: Intent to Ship: noopener-allow-popups COOP value

[Daniel Bratell]

LGTM3

(Would be nice to have the PR landed, but it does look like it's just a 
post-vacation delay rather than any concerns so I will assume that it's 
landing Real Soon Now)

/Daniel

On 2024-09-18 17:44, Chris Harrelson wrote:
LGTM2

On Wed, Sep 18, 2024 at 8:44 AM Alex Russell 
<slightly...@chromium.org> wrote:

    LGTM1. Excited to see this happening.

    On Monday, September 16, 2024 at 12:23:09 AM UTC-7 Yoav Weiss wrote:


                Contact emails

        yoavwe...@chromium.org


                Explainer

        https://gist.github.com/yoavweiss/c7b61e97e6f8d207be619f87ab96ead5


                Specification

        https://github.com/whatwg/html/pull/10394

        The PR hasn't landed yet, but I believe it is ready to land (%
        potential nits).
        I'm not aware of any open issues.


                Summary

        Some origins can contain different applications with different
        levels of security requirements. In those cases, it can be
        beneficial to prevent scripts running in one application from
        being able to open and script pages of another same-origin
        application. In such cases, it can be beneficial for a
        document to ensure its opener cannot script it, even if the
        opener document is a same-origin one. The
        `noopener-allow-popups` Cross-Origin-Opener-Policy value will
        allow documents to define that.



                Blink component

        Blink
        <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink>


                TAG review

        https://github.com/w3ctag/design-reviews/issues/964


                TAG review status

        Issues addressed


                Risks



                Interoperability and Compatibility

        Compatibility risk: As this feature adds a new COOP value, it
        doesn't run a risk of colliding with existing values. Where we
        may see some risk is when developers start using this value in
        ways that would surprise other teams on their origins. (as
        they would no longer have scripting access to opened
        documents) I don't expect that to happen often, and if it
        would it's something that developers would find out at
        development time. So I don't expect that to impact users.
        Interoperability risk: WebKit's positive position makes me
        optimistic that I'd be able to land the feature there
        <https://github.com/WebKit/WebKit/pull/30344> as well.



        /Gecko/: No signal
        (https://github.com/mozilla/standards-positions/issues/1037)

        /WebKit/: Support
        (https://github.com/WebKit/standards-positions/issues/360)

        /Web developers/: No particular signals, other than the fact
        that Shopify is interested in this.

        /Other signals/:


                Security

        No particular issues:
        https://gist.github.com/yoavweiss/3cb7283f56717f6dfe6da05009a27a65


        The main risk is having developers over rely on the
        protections this would provide. Input from Chrome and Google
        security folks led to the inclusion of a spec note
        
<https://whatpr.org/html/10394/browsers.html#cross-origin-opener-policies:top-level-browsing-context-6>
        warning developers against it and indicating what else they'd
        need to do for more holistic isolation of same-origin
        documents from others.


        I'm planning to add a similar note to developer-facing docs
        <https://github.com/mdn/mdn/issues/579>.


                WebView application risks

        Does this intent deprecate or change behavior of existing
        APIs, such that it has potentially high risk for Android
        WebView-based applications?

        None



                Debuggability

        None



                Will this feature be supported on all six Blink
                platforms (Windows, Mac, Linux, ChromeOS, Android, and
                Android WebView)?

        Yes


                Is this feature fully tested by web-platform-tests
                
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?

        Yes

        
https://wpt.fyi/results/html/cross-origin-opener-policy/tentative/noopener/coop-noopener-allow-popups.https.html?label=experimental&label=master&aligned
        
<https://wpt.fyi/results/html/cross-origin-opener-policy/tentative/noopener/coop-noopener-allow-popups.https.html?label=experimental&label=master&aligned>


        The test doesn't pass on the bots as the feature is disabled
        using a base feature flag (and no runtime flag).


                Flag name on chrome://flags

        None


                Finch feature name

        CoopNoopenerAllowPopups


                Requires code in //chrome?

        False


                Tracking bug

        https://issues.chromium.org/issues/344963946


                Measurement

        
https://chromestatus.com/metrics/feature/timeline/popularity/5029https://chromestatus.com/metrics/feature/timeline/popularity/5030


                Estimated milestones

        Shipping on desktop     131
        Shipping on Android     131
        Shipping on WebView     131



                Anticipated spec changes

        Open questions about a feature may be a source of future web
        compat or interop issues. Please list open issues (e.g. links
        to known github issues in the project for the feature
        specification) whose resolution may introduce web
        compat/interop risk (e.g., changing to naming or structure of
        the API in a non-backward-compatible way).


        No open questions ATM.


                Link to entry on the Chrome Platform Status

        https://chromestatus.com/feature/5163293877731328?gate=4905084336209920


                Links to previous Intent discussions

        Intent to Prototype:
        
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOmohSJj33d%3D0B0tNpD0qrYWzygx0i02bWdhbV3aSCgbjS3Ndw%40mail.gmail.com


        This intent message was generated by Chrome Platform Status
        <https://chromestatus.com/>.

    -- 
    You received this message because you are subscribed to the Google
    Groups "blink-dev" group.
    To unsubscribe from this group and stop receiving emails from it,
    send an email to blink-dev+unsubscr...@chromium.org.
    To view this discussion on the web visit
    
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/24c89356-98aa-4503-83d1-a015c5ab7f1cn%40chromium.org
    
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/24c89356-98aa-4503-83d1-a015c5ab7f1cn%40chromium.org?utm_medium=email&utm_source=footer>.

--
You received this message because you are subscribed to the Google 
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send 
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-kEUKSHDazs61oor%2B3SQu3j7L1Jpp7Hhb3jhKjnLuUgg%40mail.gmail.com 
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-kEUKSHDazs61oor%2B3SQu3j7L1Jpp7Hhb3jhKjnLuUgg%40mail.gmail.com?utm_medium=email&utm_source=footer>.

--
You received this message because you are subscribed to the Google Groups 
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit 
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/5848ebb7-e735-49fd-ab05-467288f22428%40sarasas.se.