Final Cross-Origin-Embedder-Policy design
Categories
(Core :: DOM: Networking, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox70 | --- | fixed |
People
(Reporter: annevk, Assigned: CuveeHsu)
References
Details
(Whiteboard: [necko-triaged])
Attachments
(6 files)
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review |
Before shipping Cross-Origin we should ensure the design is final and agreed upon by other implementers in case it hasn't yet made it into the HTML Standard.
Updated•5 years ago
|
Comment 1•5 years ago
|
||
Anne, please add a comment about the changes that we'll need to make for the final implementation.
Reporter | ||
Comment 2•5 years ago
|
||
The initial sketch that we implement is at https://gist.github.com/annevk/17f580379c45802d5c3aef5a8fd53c7d. The replacement is at https://mikewest.github.io/corpp/ and discussion of the issues there are at https://github.com/whatwg/html/issues/4175#issuecomment-503062816 onward.
Changes that need to happen:
- Tests need to be updated to account for the new header name and single value.
- Implementation needs to switch from enforcing CORS to enforcing Cross-Origin-Embedder-Policy (for navigations) and Cross-Origin-Resource-Policy (for subresources) as per the above document.
- For some COOP process-switching checks COEP is also relevant and needs to be taken into account. E.g., if COOP matches and COEP doesn't that's problematic and those two resources cannot end up in the same process. COEP on its own never forces a process switch, but will restrict what can be fetched.
- postMessage() changes still need to be made. I filed bug 1562663 to track these.
I think we can start working on these changes if we have no other important work (such as making the process switching reliable) as we're fairly close to an agreement, but there will be some more iteration.
Reporter | ||
Comment 3•5 years ago
|
||
Progress on tests can be followed at https://github.com/web-platform-tests/wpt/pull/17606. Help and review appreciated there as well.
Assignee | ||
Comment 4•5 years ago
|
||
Assignee | ||
Comment 5•5 years ago
|
||
Assignee | ||
Comment 6•5 years ago
|
||
Assignee | ||
Comment 7•5 years ago
|
||
Assignee | ||
Comment 8•5 years ago
|
||
(a) Well, I tested html/cross-origin-embedder-policy/ in https://github.com/web-platform-tests/wpt/pull/17606
Only one failure in html/cross-origin-embedder-policy/require-corp.https.html
:
promise_test(t => {
promise_rejects(t, new TypeError(), fetch(get_host_info().HTTPS_REMOTE_ORIGIN+"/common/blank.html", {mode: "no-cors"}));
}, `"require-corp" top-level: fetch() to response without CORP should fail`);
nsHttpChannel successfully aborts the fetch, the console shows NetworkError, but it can't pass the test.
(b) Another thing to followup is taking reserved client
into account for CORP checking
It's not crystal clear to me, but current implementation works well for our proposed wpt.
Assignee | ||
Comment 9•5 years ago
|
||
I believe it's the right thing to do.
COEP inherits opener's COEP and is overwritten if COEP by response is stricter.
i.e., we no more need the inherited one.
Assignee | ||
Comment 10•5 years ago
|
||
Assignee | ||
Comment 11•5 years ago
|
||
Assignee | ||
Comment 12•5 years ago
|
||
Hello Anne,
We're checking the corpp and have some questions:
3.2.1.6. If policy is null, and embedder policy is "require-corp", set policy to "same-origin".
If the corp is invalid (i.e., not in ["same-origin", "same-site", "cross-origin"]) and coep is "require-corp", shouldn't we set the policy to "same-origin"?
I guess we want the embeddee correctly set the corp.
Otherwise, 3.2.1.7 indicates that the invalid corp behaves like "cross-origin".
What do you think, Anne?
Reporter | ||
Comment 13•5 years ago
|
||
I think invalid should be "same-origin" as well, but Mike West thinks that would make introducing new values, such as a comma-separated sequence of origin literals, harder. Let's go with "cross-origin" as fallback for now, but add a comment that we might want to make that stricter.
Comment 14•5 years ago
|
||
Pushed by juhsu@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4ea15871900d P1 Substitute Cross-Origin header with COEP r=nika https://hg.mozilla.org/integration/autoland/rev/ab4b5234bc12 P1.5 Remove InheritedEmbedderPolicy r=nika https://hg.mozilla.org/integration/autoland/rev/0833c215f847 P2 Take COEP into account in CORP check r=nika https://hg.mozilla.org/integration/autoland/rev/8dd91127f3e4 P3 Take COEP into account for COOP mismatch r=nika https://hg.mozilla.org/integration/autoland/rev/d2537bde70ba P4 pass COEP check if target is not a nested browsing context r=nika https://hg.mozilla.org/integration/autoland/rev/a47bd2c262cb P5 disabled Cross-Origin tests r=nika
Comment 15•5 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/4ea15871900d
https://hg.mozilla.org/mozilla-central/rev/ab4b5234bc12
https://hg.mozilla.org/mozilla-central/rev/0833c215f847
https://hg.mozilla.org/mozilla-central/rev/8dd91127f3e4
https://hg.mozilla.org/mozilla-central/rev/d2537bde70ba
https://hg.mozilla.org/mozilla-central/rev/a47bd2c262cb
Description
•