Hi Cammie, A question from the security reviewers: Do cross-origin worklet scripts by addModule have the same protection as a cross-origin <script> (such as CORS)?
Best, Jonathan On Wednesday, July 17, 2024 at 8:30:38 PM UTC+1 Cammie Smith Barnes wrote: > Contact emails > > [email protected], [email protected], [email protected], > [email protected] > > Explainer > > https://github.com/WICG/shared-storage/blob/main/README.md > > Specification > > https://github.com/WICG/shared-storage/pull/161 > > Summary and Motivation > > We have received feedback from developers stating they wanted to be able > to host and run their worklet script on a separate origin (e.g., a cdn) > from the origin that owns and writes their shared storage data. Therefore, > we’re removing the same-origin restriction for addModule worklet scripts. > Note that, when the worklet script is cross-origin to the invoking context, > the invoking context's origin is still used as the partition origin for > accessing shared storage. > > We also made a second change, which is to align the new > sharedStorage.createWorklet API (shipped in M125) with addModule to use the > calling context’s origin as the data origin by default (instead of the > script’s origin as the data origin). This is a breaking change, and we > discuss our mitigations below. > > Blink component > > Blink>Storage>SharedStorage > <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3EStorage%3ESharedStorage> > > Initial public proposal > > https://github.com/WICG/shared-storage/pull/158 > > TAG review > > None > > TAG review status > > We asked > <https://github.com/w3ctag/design-reviews/issues/747#issuecomment-2075450880> > if they’d like to see follow-up changes to shared storage given its > unsatisfied status, and have not received a response. We take the lack of > response as a signal that they would not like to be made aware of > subsequent changes. > > Risks > > Interoperability and Compatibility > > There are no interop risks as no other browser has implemented shared > storage. There is a compat risk for the recently released createWorklet > API. The worklet created by createWorklet before this change had the data > partition of the script’s origin. We’re changing it, to align with > addModule, to use the calling context’s origin instead. We’re monitoring > usage here > <https://chromestatus.com/metrics/feature/timeline/popularity/5007> of > the existing API and reaching out to folks using it to let them know that > they should make the following forward-compatible change if they want the > existing default behavior of createWorklet to continue to function after > this change: > > before: sharedStorage.createWorklet(worklet_url); > > after: sharedStorage.createWorklet(worklet_url, { dataOrigin: > “script-origin” }); > > The dataOrigin option will be ignored on browsers previous to this change, > and honored correctly after. > > We have created a use counter for usage of createWorklet without the > forward-compatible dataOrigin option so that we will know when it’s safe to > make this change. We are also monitoring usage of addModule with scripts > that are cross-origin to the calling context here > <https://chromestatus.com/metrics/feature/timeline/popularity/5028>, as > those will suddenly work when they did not before which could be surprising > to developers. > > > Gecko: No signal > > WebKit: No signal > > Web developers: No signals > > Other signals: > > WebView application risks > > Does this intent deprecate or change behavior of existing APIs, such that > it has potentially high risk for Android WebView-based applications? > > None > > > Debuggability > > None > > Is this feature fully tested by web-platform-tests > <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> > ? > > Not yet > > Flag name on chrome://flags > > None > > Finch feature name > > SharedStorageCrossOriginScript > > Non-finch justification > > None > > Requires code in //chrome? > > False > > Estimated milestones > > M129 > > > Link to entry on the Chrome Platform Status > > https://chromestatus.com/feature/6531477832204288 > <https://chromestatus.com/feature/6531477832204288?gate=4670064239050752> > > This intent message was generated by Chrome Platform Status > <https://chromestatus.com/>. > > -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/d11f386f-c723-43f4-9cab-ed4087556a16n%40chromium.org.
