Add a noopener-allow-popups value to COOP
#10394
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Jun 5, 2024
annevk
reviewed
Jun 10, 2024
There was a problem hiding this comment.
Would like to hear what @camillelamy thinks as well, but I think one change I'd like to see is that we drop "cross-origin" from the internal naming scheme now that we make it apply to same-origin scenarios.
(We probably don't want to change any of the IDs though.)
It also seems to me some other algorithms need updating here:
- obtain a cross-origin opener policy
- check if COOP values require a browsing context group switch
annevk
added
addition/proposal
Would it make sense to spin off this editorial only change to a separate PR? (happy to work on it, just wondering RE editorial vs. functional split)
Oops, added!
I think this is covered by the change to matching COOP, but I could be I'm missing something.. |
|
@yoavweiss I think once we have agreement for this PR, that could be a separate PR as well (to be landed first). It would be a bit of extra work, but I agree that it would be nicer. |
yoavweiss
force-pushed
the
coop_noopener_allow_popups
branch
from
9aa933f
to
a743f59
Compare
yoavweiss
added a commit
to yoavweiss/WebKit
that referenced
this pull request
Jul 2, 2024
https://bugs.webkit.org/show_bug.cgi?id=275147 Reviewed by NOBODY (OOPS!). The `noopener-allow-popups` COOP value would enable a document to ensure it can't be scripted by other same-origin documents that have opened it. Some origins can contain different applications with different levels of security requirements. In those cases, it can be beneficial to prevent scripts running in one application from being able to open and script pages of another same-origin application. The noopener-allow-popups Cross-Origin-Opener-Policy value severs the opener relationship between the document loaded with this policy and its opener. At the same time, this document can open further documents (as the "allow-popups" in the name suggests) and maintain its opener relationship with them, assuming that their COOP policy allows it. This implements whatwg/html#10394 * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/reporting/resources/reporting-common.js: (const.coopHeaders): A helper to create headers in a more succinct way. * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/reporting/tentative/access-to-noopener-page-from-no-coop-ro.https-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/reporting/tentative/access-to-noopener-page-from-no-coop-ro.https.html: Added. * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/resources/noopener-helper.js: Added. (getExecutorPath): (const.test_noopener_opening_popup): The logic for the noopener tests. (async const): * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/tentative/noopener/coop-noopener-allow-popups.https-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/tentative/noopener/coop-noopener-allow-popups.https.html: Added. * Source/WebCore/loader/CrossOriginOpenerPolicy.cpp: (WebCore::crossOriginOpenerPolicyToString): Add the "noopener-allow-popups" string. (WebCore::crossOriginOpenerPolicyValueToEffectivePolicyString): Add the "noopener-allow-popups" string. (WebCore::matchingCOOP): Implement the related HTML algorithm. (WebCore::coopValuesRequireBrowsingContextGroupSwitch): Implement the switching logic related to noopener-allow-popups. (WebCore::obtainCrossOriginOpenerPolicy): Parse the "noopener-allow-popups" value. * Source/WebCore/loader/CrossOriginOpenerPolicy.h: Add the noopener-allow-popups enum value. * Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in: Add the noopener-allow-popups enum value.
|
I added @ddworken's commented risks as a note. |
yoavweiss
added
agenda+
Yes, I think it could be helpful to at least add a note somewhere saying that browser should aim to put documents with this COOP value in a separate renderer process (or something along these lines) -- otherwise, same-origin documents would still be able to read arbitrary from memory even if they can't directly access it using web-level APIs. |
yoavweiss
force-pushed
the
coop_noopener_allow_popups
branch
from
f345df4
to
35c581a
Compare
|
@yoavweiss did you open a PR already to drop "cross origin" from the internal concepts? |
Was out, will do that now.. |
camillelamy
reviewed
Oct 2, 2024
annevk
reviewed
Oct 4, 2024
|
Thanks! The behavior lgtm. |
camillelamy
approved these changes
Oct 4, 2024
annevk
reviewed
Oct 4, 2024
annevk
approved these changes
Oct 7, 2024
annevk
added
the
topic: cross-origin-opener-policy
|
Thanks for reviewing! Can you hit the merge button? I don't have permissions |
|
See WHATWG Chat. Given it's a relatively big feature I'm doing a final call for comments. Will merge tomorrow if nobody replies. |
yoavweiss
added a commit
to yoavweiss/WebKit
that referenced
this pull request
Oct 7, 2024
https://bugs.webkit.org/show_bug.cgi?id=275147 Reviewed by NOBODY (OOPS!). The `noopener-allow-popups` COOP value would enable a document to ensure it can't be scripted by other same-origin documents that have opened it. Some origins can contain different applications with different levels of security requirements. In those cases, it can be beneficial to prevent scripts running in one application from being able to open and script pages of another same-origin application. The noopener-allow-popups Cross-Origin-Opener-Policy value severs the opener relationship between the document loaded with this policy and its opener. At the same time, this document can open further documents (as the "allow-popups" in the name suggests) and maintain its opener relationship with them, assuming that their COOP policy allows it. This implements whatwg/html#10394 * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/reporting/resources/reporting-common.js: (const.coopHeaders): A helper to create headers in a more succinct way. * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/reporting/tentative/access-to-noopener-page-from-no-coop-ro.https-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/reporting/tentative/access-to-noopener-page-from-no-coop-ro.https.html: Added. * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/resources/noopener-helper.js: Added. (getExecutorPath): (const.test_noopener_opening_popup): The logic for the noopener tests. (async const): * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/tentative/noopener/coop-noopener-allow-popups.https-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/tentative/noopener/coop-noopener-allow-popups.https.html: Added. * Source/WebCore/loader/CrossOriginOpenerPolicy.cpp: (WebCore::crossOriginOpenerPolicyToString): Add the "noopener-allow-popups" string. (WebCore::crossOriginOpenerPolicyValueToEffectivePolicyString): Add the "noopener-allow-popups" string. (WebCore::matchingCOOP): Implement the related HTML algorithm. (WebCore::coopValuesRequireBrowsingContextGroupSwitch): Implement the switching logic related to noopener-allow-popups. (WebCore::obtainCrossOriginOpenerPolicy): Parse the "noopener-allow-popups" value. * Source/WebCore/loader/CrossOriginOpenerPolicy.h: Add the noopener-allow-popups enum value. * Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in: Add the noopener-allow-popups enum value.
yoavweiss
added a commit
to yoavweiss/WebKit
that referenced
this pull request
Oct 7, 2024
https://bugs.webkit.org/show_bug.cgi?id=275147 Reviewed by NOBODY (OOPS!). The `noopener-allow-popups` COOP value would enable a document to ensure it can't be scripted by other same-origin documents that have opened it. Some origins can contain different applications with different levels of security requirements. In those cases, it can be beneficial to prevent scripts running in one application from being able to open and script pages of another same-origin application. The noopener-allow-popups Cross-Origin-Opener-Policy value severs the opener relationship between the document loaded with this policy and its opener. At the same time, this document can open further documents (as the "allow-popups" in the name suggests) and maintain its opener relationship with them, assuming that their COOP policy allows it. This implements whatwg/html#10394 * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/reporting/resources/reporting-common.js: (const.coopHeaders): A helper to create headers in a more succinct way. * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/reporting/tentative/access-to-noopener-page-from-no-coop-ro.https-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/reporting/tentative/access-to-noopener-page-from-no-coop-ro.https.html: Added. * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/resources/noopener-helper.js: Added. (getExecutorPath): (const.test_noopener_opening_popup): The logic for the noopener tests. (async const): * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/tentative/noopener/coop-noopener-allow-popups.https-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/tentative/noopener/coop-noopener-allow-popups.https.html: Added. * Source/WebCore/loader/CrossOriginOpenerPolicy.cpp: (WebCore::crossOriginOpenerPolicyToString): Add the "noopener-allow-popups" string. (WebCore::crossOriginOpenerPolicyValueToEffectivePolicyString): Add the "noopener-allow-popups" string. (WebCore::matchingCOOP): Implement the related HTML algorithm. (WebCore::coopValuesRequireBrowsingContextGroupSwitch): Implement the switching logic related to noopener-allow-popups. (WebCore::obtainCrossOriginOpenerPolicy): Parse the "noopener-allow-popups" value. * Source/WebCore/loader/CrossOriginOpenerPolicy.h: Add the noopener-allow-popups enum value. * Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in: Add the noopener-allow-popups enum value.
|
Thanks @yoavweiss for all your hard work on this COOP improvement! |
yoavweiss
added a commit
to yoavweiss/WebKit
that referenced
this pull request
Oct 8, 2024
https://bugs.webkit.org/show_bug.cgi?id=275147 Reviewed by NOBODY (OOPS!). The `noopener-allow-popups` COOP value would enable a document to ensure it can't be scripted by other same-origin documents that have opened it. Some origins can contain different applications with different levels of security requirements. In those cases, it can be beneficial to prevent scripts running in one application from being able to open and script pages of another same-origin application. The noopener-allow-popups Cross-Origin-Opener-Policy value severs the opener relationship between the document loaded with this policy and its opener. At the same time, this document can open further documents (as the "allow-popups" in the name suggests) and maintain its opener relationship with them, assuming that their COOP policy allows it. This implements whatwg/html#10394 * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/reporting/resources/reporting-common.js: (const.coopHeaders): A helper to create headers in a more succinct way. * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/reporting/tentative/access-to-noopener-page-from-no-coop-ro.https-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/reporting/tentative/access-to-noopener-page-from-no-coop-ro.https.html: Added. * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/resources/noopener-helper.js: Added. (getExecutorPath): (const.test_noopener_opening_popup): The logic for the noopener tests. (async const): * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/tentative/noopener/coop-noopener-allow-popups.https-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/tentative/noopener/coop-noopener-allow-popups.https.html: Added. * Source/WebCore/loader/CrossOriginOpenerPolicy.cpp: (WebCore::crossOriginOpenerPolicyToString): Add the "noopener-allow-popups" string. (WebCore::crossOriginOpenerPolicyValueToEffectivePolicyString): Add the "noopener-allow-popups" string. (WebCore::matchingCOOP): Implement the related HTML algorithm. (WebCore::coopValuesRequireBrowsingContextGroupSwitch): Implement the switching logic related to noopener-allow-popups. (WebCore::obtainCrossOriginOpenerPolicy): Parse the "noopener-allow-popups" value. * Source/WebCore/loader/CrossOriginOpenerPolicy.h: Add the noopener-allow-popups enum value. * Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in: Add the noopener-allow-popups enum value.
webkit-commit-queue
pushed a commit
to yoavweiss/WebKit
that referenced
this pull request
Oct 9, 2024
https://bugs.webkit.org/show_bug.cgi?id=275147 Reviewed by Alex Christensen. The `noopener-allow-popups` COOP value would enable a document to ensure it can't be scripted by other same-origin documents that have opened it. Some origins can contain different applications with different levels of security requirements. In those cases, it can be beneficial to prevent scripts running in one application from being able to open and script pages of another same-origin application. The noopener-allow-popups Cross-Origin-Opener-Policy value severs the opener relationship between the document loaded with this policy and its opener. At the same time, this document can open further documents (as the "allow-popups" in the name suggests) and maintain its opener relationship with them, assuming that their COOP policy allows it. This implements whatwg/html#10394 * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/reporting/resources/reporting-common.js: (const.coopHeaders): A helper to create headers in a more succinct way. * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/reporting/tentative/access-to-noopener-page-from-no-coop-ro.https-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/reporting/tentative/access-to-noopener-page-from-no-coop-ro.https.html: Added. * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/resources/noopener-helper.js: Added. (getExecutorPath): (const.test_noopener_opening_popup): The logic for the noopener tests. (async const): * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/tentative/noopener/coop-noopener-allow-popups.https-expected.txt: Added. * LayoutTests/imported/w3c/web-platform-tests/html/cross-origin-opener-policy/tentative/noopener/coop-noopener-allow-popups.https.html: Added. * Source/WebCore/loader/CrossOriginOpenerPolicy.cpp: (WebCore::crossOriginOpenerPolicyToString): Add the "noopener-allow-popups" string. (WebCore::crossOriginOpenerPolicyValueToEffectivePolicyString): Add the "noopener-allow-popups" string. (WebCore::matchingCOOP): Implement the related HTML algorithm. (WebCore::coopValuesRequireBrowsingContextGroupSwitch): Implement the switching logic related to noopener-allow-popups. (WebCore::obtainCrossOriginOpenerPolicy): Parse the "noopener-allow-popups" value. * Source/WebCore/loader/CrossOriginOpenerPolicy.h: Add the noopener-allow-popups enum value. * Source/WebKit/Shared/WebCoreArgumentCoders.serialization.in: Add the noopener-allow-popups enum value. Canonical link: https://commits.webkit.org/284866@main
2 tasks
dizhang168
pushed a commit
to dizhang168/html
that referenced
this pull request
Oct 28, 2024
This is a refactor-only change, that serves as a precursor to whatwg#10394, and makes progress on whatwg#10373.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #10373
Some origins can contain different applications with different levels of security requirements. In those cases, it can be beneficial to prevent scripts running in one application from being able to open and script pages of another same-origin application.
In such cases, it can be beneficial for a document to ensure its opener cannot script it, even if the opener document is a same-origin one.
This PR adds a
noopener-allow-popupsCross-Origin-Opener-Policy value that severs the opener relationship between the document loaded with this policy and its opener. At the same time, this document can open further documents (as the "allow-popups" in the name suggests) and maintain its opener relationship with them, assuming that their COOP policy allows it.Explainer
noopener-allow-popupsCOOP value mdn/mdn#579(See WHATWG Working Mode: Changes for more details.)
/browsers.html ( diff )
/references.html ( diff )