*Summary:* Origin-keyed Agent Clusters allows developers to opt-in to a stricter cross-origin separation by placing same-site cross-origin pages in different agent clusters. The observable effect of this is that setting document.domain becomes a no-op and makes it impossible to send WebAssembly.Module:s to cross-origin documents. It also opens up several venues for more efficient resource allocation, e.g. performing process isolation based on origin-keyed agent clusters instead of site-keyed agent clusters and separate arena allocators. This is achieved by the site developer by sending the HTTP header Origin-Agent-Cluster, where a true value indicates that the site wishes to opt in to using origin-keyed agent clusters. This header also makes it easy to in the future deprecate document.domain by making the default be true for Origin-Agent-Cluster, while allowing sites to opt-out by sending Origin-Agent-Cluster with a false value.
*Bug:* Bug 1665474 - Implement the Origin-Agent-Cluster header <https://bugzilla.mozilla.org/show_bug.cgi?id=1665474> *Specification:* Origin-keyed agent clusters <https://html.spec.whatwg.org/multipage/browsers.html#origin-keyed-agent-clusters> *Platform coverage:* All platforms *Preference:* We'll use browser.tabs.remote.originAgentClusters, with the possible values: 0) Turned off This feature can be implemented incrementally, and until everything is in place we'll have the feature turned off. 1) Turned on. Default value for origin-keyed is false This is the value we'll use for shipping this feature. 2) Turned on. Default value for origin-keyed is true This is the value we'll use to deprecate document.domain in Bug 1817844 - Deprecate document.domain <https://bugzilla.mozilla.org/show_bug.cgi?id=1817844>. This will be addressed in a future intent to prototype. *DevTools bug:* None needed until we start considering deprecating document.domain. *Link to standards-positions discussion:* mozilla/standards-positions <https://github.com/mozilla/standards-positions/issues/244> *Other browsers:* Blink: shipped since version 88 WebKit: considering ([webkit-dev] Request for position on the Origin-Isolation header <https://lists.webkit.org/pipermail/webkit-dev/2020-August/031355.html>). *web-platform-tests:* html/browsers/origin/origin-keyed-agent-clusters <https://wpt.fyi/results/html/browsers/origin/origin-keyed-agent-clusters> *How stable is the spec:* Stable. Merged in whatwg/html/pull/5545 <https://github.com/whatwg/html/pull/5545> and renamed in whatwg/html/pull/6214 <https://github.com/whatwg/html/pull/6214>, Aug 21, 2020 and Dec 11, 2020 respectively. *Web developer use-cases:* Initially this will be a way for developers to opt-in to helping the browser to use resources more efficiently. In the case of deprecating document.domain it becomes a way for developers to opt-out of this feature and regain the use of document.domain. *Example:* To use this feature configure the web server to send: Origin-Agent-Cluster: ?1 Here the ?1 is the structured header syntax for the boolean true value. When this feature is turned on, the Window interface will expose window.originAgentCluster, which returns true if this Window belongs to an origin-keyed agent cluster. This is useful due to the aspect of how mismatched values for the header are handled. An agent cluster can never transition to or from being origin-keyed, so if a Window wants to join an agent cluster and is served with the Origin-Agent-Cluster header with a true value, but the agent cluster is already site-keyed, then it stays site-keyed. The same is true if the agent cluster starts out as origin-keyed. -- farre -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CACvK8HKaRfytdpfn2H6AB64UShafKessjq%3DYb2Bdh3TrPQ0eTQ%40mail.gmail.com.
