Closed Bug 1543066 Opened 5 years ago Closed 5 years ago

Final Cross-Origin-Opener-Policy design

Categories

(Core :: DOM: Networking, defect, P2)

Product:
Core
Component:
DOM: Networking
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox70 --- fixed

People

(Reporter: annevk, Assigned: CuveeHsu)

References

(Depends on 1 open bug)

Details

(Whiteboard: [necko-triaged])

Attachments

(2 files)

Bug 1543066 - P1 Implement COOP:unsafe-inherit
47 bytes, text/x-phabricator-request
Details | Review
Bug 1543066 - P2 Do not obtain a cross-origin opener-policy through non-HTTPS
47 bytes, text/x-phabricator-request
Details | Review

Before shipping Cross-Origin-Opener-Policy we should ensure the design is final and agreed upon by other implementers in case it hasn't yet made it into the HTML Standard.

Priority: -- → P2
Whiteboard: [necko-triaged]

Anne, please add a comment about the changes that we'll need to make for the final implementation.

Flags: needinfo?(annevk)

To the extent that we correctly implement https://gist.github.com/annevk/6f2dd8c79c77123f39797f6bdac43f3e we might be able to ship soon, given that Artur and I recently changed course on inheriting to keep the status quo. However, there have been requests from sites for additional functionality:

  • unsafe-inherit as discussed at https://github.com/whatwg/html/issues/4581. This would require copying the COOP from the creator and storing it on the current session history entry.
  • Reporting as discussed at https://github.com/whatwg/html/issues/4622. This is quite a substantial addition that also requires our feedback against the Reporting API to be addressed. I think we should only block on this if Luke hears from partners that this is a blocker.

Potential risks with shipping:

  • Google and Safari have not fully evaluated the design and might find things to tweak further.
  • Sites are uncomfortable deploying without unsafe-inherit support and end up having to perform UA-sniffing. In particular, if they rely on a COOP: same-origin being able to open a COOP: unsafe-inherit. (This is not a risk for reporting as far as I can tell as in that case there would either be an alternative header or the main header would fail to parse.)
See Also: → https://bugs.chromium.org/p/chromium/issues/detail?id=922191

As mentioned over in bug 1543068 the other thing that affects the Cross-Origin-Opener-Policy logic is that when Cross-Origin-Embedder-Policy is also specified it will affect the matching check. I don't know to what extent our current implementation takes that into account, but this would be something that needs doing unless we want to ship it before COEP. I also think that given the concern above we should add unsafe-inherit now rather than later.

So changes needed in summary:

  • Require HTTPS
  • Add unsafe-inherit support (processing model is added to the gist)
  • Add COEP support (processing model is added to the gist)

Tests are being written here: https://github.com/web-platform-tests/wpt/pull/17606. Review appreciated!

(The only further changes I can foresee are around non-HTTP URLs. I plan to add more tests for those and that might influence the model somewhat.)

Flags: needinfo?(annevk)
Depends on: 1566431
Depends on: 1566868

(In reply to Anne (:annevk) from comment #4)

So changes needed in summary:

  • Require HTTPS

I'd like to make this clear.
Does it apply to both obtain a cross-origin opener-policy and match cross-origin opener-policies?

  • Add unsafe-inherit support (processing model is added to the gist)

This is covered by Comment 5.

  • Add COEP support (processing model is added to the gist)

The is covered by Bug 1543068 Comment 6

Assignee: nobody → juhsu
Flags: needinfo?(annevk)

It applies to obtaining a policy. In particular, we should still perform a match if one out of two documents does not use HTTPS. (about:blank is not an HTTPS document but will get its COOP copied from one. A document delivered over insecure HTTP will always lack COOP.)

Otherwise HTTPS with COOP could get HTTP without COOP into its process, which would be bad.

Flags: needinfo?(annevk)
Depends on: 1570889
Attachment #9082505 - Attachment description: But 1543066 - P1 Implement COOP:unsafe-inherit → Bug 1543066 - P1 Implement COOP:unsafe-inherit
Pushed by juhsu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/20f44d88ae9c
P1 Implement COOP:unsafe-inherit r=nika
https://hg.mozilla.org/integration/autoland/rev/8b50000b89dd
P2 Do not obtain a cross-origin opener-policy through non-HTTPS r=nika

Backed out for COOP related failures on new_window_null.tentative.html

backout: https://hg.mozilla.org/integration/autoland/rev/c4c419cbd79376be3cb086a3ce574a36a9c6a5ad

push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&group_state=expanded&searchStr=wpt&revision=8b50000b89ddcc8ebb0a259f481e1d2459026839&selectedJob=260974612 started permafailing on tier-1 with this push

failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=260974612&repo=autoland&lineNumber=3208

[task 2019-08-10T22:22:29.747Z] 22:22:29 INFO - TEST-PASS | /html/cross-origin-opener/new_window_null.tentative.html | null document opening popup to http://web-platform.test:8000 with COOP: "jibberish"
[task 2019-08-10T22:22:29.747Z] 22:22:29 INFO - TEST-UNEXPECTED-FAIL | /html/cross-origin-opener/new_window_null.tentative.html | null document opening popup to http://web-platform.test:8000 with COOP: "same-site" - assert_equals: expected "" but got "null_to_SAME_ORIGIN_same-site"
[task 2019-08-10T22:22:29.747Z] 22:22:29 INFO - coop_test/bc.onmessage<@http://web-platform.test:8000/html/cross-origin-opener/common.sub.js:9:18
[task 2019-08-10T22:22:29.747Z] 22:22:29 INFO - Test.prototype.step@http://web-platform.test:8000/resources/testharness.js:1611:25
[task 2019-08-10T22:22:29.747Z] 22:22:29 INFO - Test.prototype.step_func_done/<@http://web-platform.test:8000/resources/testharness.js:1651:32
[task 2019-08-10T22:22:29.748Z] 22:22:29 INFO - coop_test@http://web-platform.test:8000/html/cross-origin-opener/common.sub.js:13:18
[task 2019-08-10T22:22:29.748Z] 22:22:29 INFO - run_coop_tests/<@http://web-platform.test:8000/html/cross-origin-opener/common.sub.js:23:14
[task 2019-08-10T22:22:29.748Z] 22:22:29 INFO - Test.prototype.step@http://web-platform.test:8000/resources/testharness.js:1611:25
[task 2019-08-10T22:22:29.748Z] 22:22:29 INFO - async_test@http://web-platform.test:8000/resources/testharness.js:576:22
[task 2019-08-10T22:22:29.748Z] 22:22:29 INFO - run_coop_tests@http://web-platform.test:8000/html/cross-origin-opener/common.sub.js:22:14
[task 2019-08-10T22:22:29.748Z] 22:22:29 INFO - @http://web-platform.test:8000/html/cross-origin-opener/new_window_null.tentative.html:36:15
[task 2019-08-10T22:22:29.749Z] 22:22:29 INFO -

Flags: needinfo?(juhsu)

Should disable the outdated test

Flags: needinfo?(juhsu)
Pushed by juhsu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a1253a83b8dc
P1 Implement COOP:unsafe-inherit r=nika
https://hg.mozilla.org/integration/autoland/rev/bdf5917304fb
P2 Do not obtain a cross-origin opener-policy through non-HTTPS r=nika

https://hg.mozilla.org/mozilla-central/rev/a1253a83b8dc
https://hg.mozilla.org/mozilla-central/rev/bdf5917304fb

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox70: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
Depends on: 1574000
Regressions: 1574603
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: