Contact [email protected], [email protected] Explainerhttps://github.com/WICG/anonymous-iframe
Specificationhttps://wicg.github.io/anonymous-iframe/#specification Design docs https://docs.google.com/document/d/1poI75BaQ9aqcMGJn_K01-QHsQQbEOwRWvg3Af4VWTmY/edit Summary Anonymous iframes give developers a way to load documents in third party iframes using new and ephemeral contexts. Anonymous iframes are a generalization of COEP credentialless to support 3rd party iframes that may not deploy COEP. Like with COEP credentialless, we replace the opt-in of cross-origin subresources by avoiding to load non-public resources. This will remove the constraint that 3rd party iframes must support COEP in order to be embedded in a COEP page and will unblock developers looking to adopt cross-origin-isolation. This way, developers using COEP can now embed third party iframes that do not. Blink componentBlink>SecurityFeature <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature> Search tagscoep <https://chromestatus.com/features#tags:coep>, cross-origin-embedder-policy <https://chromestatus.com/features#tags:cross-origin-embedder-policy>, iframe <https://chromestatus.com/features#tags:iframe>, anonymous <https://chromestatus.com/features#tags:anonymous> TAG reviewhttps://github.com/w3ctag/design-reviews/issues/639 TAG review statusIssues addressed Risks Interoperability and Compatibility The main risk is that anonymous iframes fail to become an interoperable part of the web platform if other browsers do not implement the API. *Gecko*: No signal ( https://github.com/mozilla/standards-positions/issues/628) *WebKit*: No signal ( https://lists.webkit.org/pipermail/webkit-dev/2022-April/032205.html) *Web developers*: Positive (https://github.com/WICG/proposals/issues/53) Zoom, Google Display Ads, StackBlitz are supportive. Several other developer also expressed their need to get anonymous iframe to embed 3rd party iframes inside crossOriginIsolated contexts. *Other signals*: Ergonomics None. Activation We are going to publish a blog post: We don't expect developers having difficulties using is as-is. It only requires adding the "anonymous" attribute to <iframe>. Security See the threat model doc: https://wicg.github.io/anonymous-iframe/#security http://go/anonymous-iframe-threat-model WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? No risks identified. This is platform independent. WebView is not an exception. Goals for experimentation - Double check the feature makes sense given large developers like Google Ads and Zoom. - Confirm this resolves the difficulties deploying COEP and understand any limitations. - Get feedback about the shape of the API. - Understand if developers need additional APIs to use it. For instance: https://github.com/w3ctag/design-reviews/issues/742 or others. Reason this experiment is being extended Ongoing technical constraints None Debuggability Anonymous iframes were designed to avoid breaking iframes. They do not introduce new kinds of failures. In the devtool issue explaining an iframe was blocked by COEP, Anonymous iframes will be suggested as a potential solution. The JS API: `window.isAnonymouslyFramed` already reflects whether a document is embedded inside an anonymous iframe or not. This is not reflected in devtool yet, but it could be in the future, if we think this is worth it. Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?Yes This is a web platform feature. Consistent behavior among all the platforms is important. Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ?Yes DevTrial instructionshttps://anonymous-iframe.glitch.me Flag name--enable-blink-features=AnonymousIframe Requires code in //chrome?False Tracking bughttps://bugs.chromium.org/p/chromium/issues/detail?id=1211800 Launch bughttps://bugs.chromium.org/p/chromium/issues/detail?id=1342928 Estimated milestones OriginTrial desktop last 108 OriginTrial desktop first 106 DevTrial on desktop 105 OriginTrial Android last 108 OriginTrial Android first 106 DevTrial on Android 105 OriginTrial webView last 108 OriginTrial webView first 106 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5729461725036544 Links to previous Intent discussionsIntent to prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/CjrLTguZuO4 This intent message was generated by Chrome Platform Status <https://chromestatus.com/>. -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH7Q68XZAyZh9cVWOVV03Df8p1e-g7bTHWgUpDvXpgFCt6z0LQ%40mail.gmail.com.
