Closed Bug 1543068 Opened 7 months ago Closed 3 months ago

Final Cross-Origin-Embedder-Policy design


(Core :: DOM: Networking, defect, P2)




Tracking Status
firefox70 --- fixed


(Reporter: annevk, Assigned: junior)


(Depends on 1 open bug, Blocks 2 open bugs)


(Whiteboard: [necko-triaged])


(6 files)

Before shipping Cross-Origin we should ensure the design is final and agreed upon by other implementers in case it hasn't yet made it into the HTML Standard.

Depends on: 1543070
Priority: -- → P2
Whiteboard: [necko-triaged]

Anne, please add a comment about the changes that we'll need to make for the final implementation.

Flags: needinfo?(annevk)

The initial sketch that we implement is at The replacement is at and discussion of the issues there are at onward.

Changes that need to happen:

  • Tests need to be updated to account for the new header name and single value.
  • Implementation needs to switch from enforcing CORS to enforcing Cross-Origin-Embedder-Policy (for navigations) and Cross-Origin-Resource-Policy (for subresources) as per the above document.
  • For some COOP process-switching checks COEP is also relevant and needs to be taken into account. E.g., if COOP matches and COEP doesn't that's problematic and those two resources cannot end up in the same process. COEP on its own never forces a process switch, but will restrict what can be fetched.
  • postMessage() changes still need to be made. I filed bug 1562663 to track these.

I think we can start working on these changes if we have no other important work (such as making the process switching reliable) as we're fairly close to an agreement, but there will be some more iteration.

Summary: Final Cross-Origin design → Final Cross-Origin-Embedder-Policy design
Blocks: 1532287

Progress on tests can be followed at Help and review appreciated there as well.

Flags: needinfo?(annevk)
Depends on: 1566431

(a) Well, I tested html/cross-origin-embedder-policy/ in
Only one failure in html/cross-origin-embedder-policy/require-corp.https.html:

promise_test(t => {
  promise_rejects(t, new TypeError(), fetch(get_host_info().HTTPS_REMOTE_ORIGIN+"/common/blank.html", {mode: "no-cors"}));
}, `"require-corp" top-level: fetch() to response without CORP should fail`);

nsHttpChannel successfully aborts the fetch, the console shows NetworkError, but it can't pass the test.

(b) Another thing to followup is taking reserved client into account for CORP checking

It's not crystal clear to me, but current implementation works well for our proposed wpt.

Assignee: nobody → juhsu

I believe it's the right thing to do.
COEP inherits opener's COEP and is overwritten if COEP by response is stricter.
i.e., we no more need the inherited one.

Hello Anne,
We're checking the corpp and have some questions: If policy is null, and embedder policy is "require-corp", set policy to "same-origin".

If the corp is invalid (i.e., not in ["same-origin", "same-site", "cross-origin"]) and coep is "require-corp", shouldn't we set the policy to "same-origin"?
I guess we want the embeddee correctly set the corp.

Otherwise, indicates that the invalid corp behaves like "cross-origin".

What do you think, Anne?

Flags: needinfo?(annevk)

I think invalid should be "same-origin" as well, but Mike West thinks that would make introducing new values, such as a comma-separated sequence of origin literals, harder. Let's go with "cross-origin" as fallback for now, but add a comment that we might want to make that stricter.

Flags: needinfo?(annevk)
Depends on: 1572513
Pushed by
P1 Substitute Cross-Origin header with COEP r=nika
P1.5 Remove InheritedEmbedderPolicy r=nika
P2 Take COEP into account in CORP check r=nika
P3 Take COEP into account for COOP mismatch r=nika
P4 pass COEP check if target is not a nested browsing context r=nika
P5 disabled Cross-Origin tests r=nika
Depends on: 1574676
You need to log in before you can comment on or make changes to this bug.