LGTM to experiment from M106 to M108 (I think that's the range you're
requesting, please let me know if I'm reading it wrong).
On 7/27/22 6:34 AM, Arthur Sonzogni wrote:
Contact emails
[email protected], [email protected]
Explainer
https://github.com/WICG/anonymous-iframe
Specification
https://wicg.github.io/anonymous-iframe/#specification
Design docs
https://docs.google.com/document/d/1poI75BaQ9aqcMGJn_K01-QHsQQbEOwRWvg3Af4VWTmY/edit
Summary
Anonymous iframes give developers a way to load documents in third
party iframes using new and ephemeral contexts. Anonymous iframes are
a generalization of COEP credentialless to support 3rd party iframes
that may not deploy COEP. Like with COEP credentialless, we replace
the opt-in of cross-origin subresources by avoiding to load non-public
resources. This will remove the constraint that 3rd party iframes must
support COEP in order to be embedded in a COEP page and will unblock
developers looking to adopt cross-origin-isolation. This way,
developers using COEP can now embed third party iframes that do not.
Blink component
Blink>SecurityFeature
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature>
Search tags
coep <https://chromestatus.com/features#tags:coep>,
cross-origin-embedder-policy
<https://chromestatus.com/features#tags:cross-origin-embedder-policy>,
iframe <https://chromestatus.com/features#tags:iframe>, anonymous
<https://chromestatus.com/features#tags:anonymous>
TAG review
https://github.com/w3ctag/design-reviews/issues/639
TAG review status
Issues addressed
Risks
Interoperability and Compatibility
The main risk is that anonymous iframes fail to become an
interoperable part of the web platform if other browsers do not
implement the API.
/Gecko/: No signal
(https://github.com/mozilla/standards-positions/issues/628)
/WebKit/: No signal
(https://lists.webkit.org/pipermail/webkit-dev/2022-April/032205.html)
/Web developers/: Positive
(https://github.com/WICG/proposals/issues/53) Zoom, Google Display
Ads, StackBlitz are supportive. Several other developer also expressed
their need to get anonymous iframe to embed 3rd party iframes inside
crossOriginIsolated contexts.
/Other signals/:
Ergonomics
None.
Activation
We are going to publish a blog post: We don't expect developers having
difficulties using is as-is. It only requires adding the "anonymous"
attribute to <iframe>.
Security
See the threat model doc:
https://wicg.github.io/anonymous-iframe/#security
http://go/anonymous-iframe-threat-model
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such
that it has potentially high risk for Android WebView-based applications?
No risks identified. This is platform independent. WebView is not an
exception.
Goals for experimentation
- Double check the feature makes sense given large developers like
Google Ads and Zoom. - Confirm this resolves the difficulties
deploying COEP and understand any limitations. - Get feedback about
the shape of the API. - Understand if developers need additional APIs
to use it. For instance:
https://github.com/w3ctag/design-reviews/issues/742 or others.
Reason this experiment is being extended
Ongoing technical constraints
None
Debuggability
Anonymous iframes were designed to avoid breaking iframes. They do not
introduce new kinds of failures. In the devtool issue explaining an
iframe was blocked by COEP, Anonymous iframes will be suggested as a
potential solution. The JS API: `window.isAnonymouslyFramed` already
reflects whether a document is embedded inside an anonymous iframe or
not. This is not reflected in devtool yet, but it could be in the
future, if we think this is worth it.
Will this feature be supported on all six Blink platforms
(Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes
This is a web platform feature. Consistent behavior among all the
platforms is important.
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
Yes
DevTrial instructions
https://anonymous-iframe.glitch.me
Flag name
--enable-blink-features=AnonymousIframe
Requires code in //chrome?
False
Tracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=1211800
Launch bug
https://bugs.chromium.org/p/chromium/issues/detail?id=1342928
Estimated milestones
OriginTrial desktop last 108
OriginTrial desktop first 106
DevTrial on desktop 105
OriginTrial Android last 108
OriginTrial Android first 106
DevTrial on Android 105
OriginTrial webView last 108
OriginTrial webView first 106
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5729461725036544
Links to previous Intent discussions
Intent to prototype:
https://groups.google.com/a/chromium.org/g/blink-dev/c/CjrLTguZuO4
This intent message was generated by Chrome Platform Status
<https://chromestatus.com/>.
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH7Q68XZAyZh9cVWOVV03Df8p1e-g7bTHWgUpDvXpgFCt6z0LQ%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH7Q68XZAyZh9cVWOVV03Df8p1e-g7bTHWgUpDvXpgFCt6z0LQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b5088bc2-4e61-31a6-8e03-d7a6d20dd9cb%40chromium.org.
