Closed Bug 1543066 Opened 8 months ago Closed 3 months ago

Final Cross-Origin-Opener-Policy design


(Core :: DOM: Networking, defect, P2)




Tracking Status
firefox70 --- fixed


(Reporter: annevk, Assigned: junior)


(Depends on 1 open bug, Blocks 1 open bug)


(Whiteboard: [necko-triaged])


(2 files)

Before shipping Cross-Origin-Opener-Policy we should ensure the design is final and agreed upon by other implementers in case it hasn't yet made it into the HTML Standard.

Priority: -- → P2
Whiteboard: [necko-triaged]

Anne, please add a comment about the changes that we'll need to make for the final implementation.

Flags: needinfo?(annevk)

To the extent that we correctly implement we might be able to ship soon, given that Artur and I recently changed course on inheriting to keep the status quo. However, there have been requests from sites for additional functionality:

  • unsafe-inherit as discussed at This would require copying the COOP from the creator and storing it on the current session history entry.
  • Reporting as discussed at This is quite a substantial addition that also requires our feedback against the Reporting API to be addressed. I think we should only block on this if Luke hears from partners that this is a blocker.

Potential risks with shipping:

  • Google and Safari have not fully evaluated the design and might find things to tweak further.
  • Sites are uncomfortable deploying without unsafe-inherit support and end up having to perform UA-sniffing. In particular, if they rely on a COOP: same-origin being able to open a COOP: unsafe-inherit. (This is not a risk for reporting as far as I can tell as in that case there would either be an alternative header or the main header would fail to parse.)

As mentioned over in bug 1543068 the other thing that affects the Cross-Origin-Opener-Policy logic is that when Cross-Origin-Embedder-Policy is also specified it will affect the matching check. I don't know to what extent our current implementation takes that into account, but this would be something that needs doing unless we want to ship it before COEP. I also think that given the concern above we should add unsafe-inherit now rather than later.

So changes needed in summary:

  • Require HTTPS
  • Add unsafe-inherit support (processing model is added to the gist)
  • Add COEP support (processing model is added to the gist)

Tests are being written here: Review appreciated!

(The only further changes I can foresee are around non-HTTP URLs. I plan to add more tests for those and that might influence the model somewhat.)

Flags: needinfo?(annevk)
Depends on: 1566431
Depends on: 1566868

(In reply to Anne (:annevk) from comment #4)

So changes needed in summary:

  • Require HTTPS

I'd like to make this clear.
Does it apply to both obtain a cross-origin opener-policy and match cross-origin opener-policies?

  • Add unsafe-inherit support (processing model is added to the gist)

This is covered by Comment 5.

  • Add COEP support (processing model is added to the gist)

The is covered by Bug 1543068 Comment 6

Assignee: nobody → juhsu
Flags: needinfo?(annevk)

It applies to obtaining a policy. In particular, we should still perform a match if one out of two documents does not use HTTPS. (about:blank is not an HTTPS document but will get its COOP copied from one. A document delivered over insecure HTTP will always lack COOP.)

Otherwise HTTPS with COOP could get HTTP without COOP into its process, which would be bad.

Flags: needinfo?(annevk)
Depends on: 1570889
Attachment #9082505 - Attachment description: But 1543066 - P1 Implement COOP:unsafe-inherit → Bug 1543066 - P1 Implement COOP:unsafe-inherit
Pushed by
P1 Implement COOP:unsafe-inherit r=nika
P2 Do not obtain a cross-origin opener-policy through non-HTTPS r=nika

Backed out for COOP related failures on new_window_null.tentative.html


push with failures: started permafailing on tier-1 with this push

failure log:

[task 2019-08-10T22:22:29.747Z] 22:22:29 INFO - TEST-PASS | /html/cross-origin-opener/new_window_null.tentative.html | null document opening popup to http://web-platform.test:8000 with COOP: "jibberish"
[task 2019-08-10T22:22:29.747Z] 22:22:29 INFO - TEST-UNEXPECTED-FAIL | /html/cross-origin-opener/new_window_null.tentative.html | null document opening popup to http://web-platform.test:8000 with COOP: "same-site" - assert_equals: expected "" but got "null_to_SAME_ORIGIN_same-site"
[task 2019-08-10T22:22:29.747Z] 22:22:29 INFO - coop_test/bc.onmessage<@http://web-platform.test:8000/html/cross-origin-opener/common.sub.js:9:18
[task 2019-08-10T22:22:29.747Z] 22:22:29 INFO - Test.prototype.step@http://web-platform.test:8000/resources/testharness.js:1611:25
[task 2019-08-10T22:22:29.747Z] 22:22:29 INFO - Test.prototype.step_func_done/<@http://web-platform.test:8000/resources/testharness.js:1651:32
[task 2019-08-10T22:22:29.748Z] 22:22:29 INFO - coop_test@http://web-platform.test:8000/html/cross-origin-opener/common.sub.js:13:18
[task 2019-08-10T22:22:29.748Z] 22:22:29 INFO - run_coop_tests/<@http://web-platform.test:8000/html/cross-origin-opener/common.sub.js:23:14
[task 2019-08-10T22:22:29.748Z] 22:22:29 INFO - Test.prototype.step@http://web-platform.test:8000/resources/testharness.js:1611:25
[task 2019-08-10T22:22:29.748Z] 22:22:29 INFO - async_test@http://web-platform.test:8000/resources/testharness.js:576:22
[task 2019-08-10T22:22:29.748Z] 22:22:29 INFO - run_coop_tests@http://web-platform.test:8000/html/cross-origin-opener/common.sub.js:22:14
[task 2019-08-10T22:22:29.748Z] 22:22:29 INFO - @http://web-platform.test:8000/html/cross-origin-opener/new_window_null.tentative.html:36:15
[task 2019-08-10T22:22:29.749Z] 22:22:29 INFO -

Flags: needinfo?(juhsu)

Should disable the outdated test

Flags: needinfo?(juhsu)
Pushed by
P1 Implement COOP:unsafe-inherit r=nika
P2 Do not obtain a cross-origin opener-policy through non-HTTPS r=nika
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
Depends on: 1574000
Regressions: 1574603
You need to log in before you can comment on or make changes to this bug.