Re: [webkit-dev] Request for position on the Origin-Isolation header
Hi again webkit-dev, I'm just pinging this thread to let you know that in the HTML Standard repository (and Chrome implementation), we're working to rename this feature from "origin isolation" to "origin-keyed agent clusters", with the header going from Origin-Isolation to Origin-Agent-Cluster. This is due to people thinking that the "origin isolation" name implied security guarantees, like Chrome's "site isolation" term or the HTML Standard's "cross-origin isolation" term. You can read more about the reasoning at https://github.com/whatwg/html/issues/6192 and see the renaming pull request at https://github.com/whatwg/html/pull/6214. Thanks! -Domenic ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Request for position on the Origin-Isolation header
Thanks Ryosuke! From: Anne van Kesteren > On Fri, Aug 21, 2020 at 2:41 AM Ryosuke Niwa wrote: >> I feel like I saw some discussions of also differentiating based on >> protocol (treating http://webkit.org and https://webkit.org >> differently). Do you know you've already had such a discussion and if >> so what the outcome of that discussion was? > > The scheme is already part of an origin so that is definitely a boundary for > this feature. However, I guess you're asking about the "normal" website > security boundary, which is site (roughly scheme + registrable domain, exact > definition in HTML). Site historically lacked scheme, but that was changed. > There are still some features (primarily cookies) that compare sites and > ignore the scheme (this operation is also defined in HTML), but those too > have proposals to move away from that. In addition to this, I'll note that the feature is currently specced to only work on secure contexts; on non-secure contexts the header is ignored. So, non-secure pages will always end up in the site-keyed agent cluster, i.e. there is no way to use this header to isolate http://example.com from http://sub.example.com/ like you can do for the https: counterparts. ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Request for position on the Origin-Isolation header
On Fri, Aug 21, 2020 at 2:41 AM Ryosuke Niwa wrote: > I feel like I saw some discussions of also differentiating based on > protocol (treating http://webkit.org and https://webkit.org > differently). Do you know you've already had such a discussion and if > so what the outcome of that discussion was? The scheme is already part of an origin so that is definitely a boundary for this feature. However, I guess you're asking about the "normal" website security boundary, which is site (roughly scheme + registrable domain, exact definition in HTML). Site historically lacked scheme, but that was changed. There are still some features (primarily cookies) that compare sites and ignore the scheme (this operation is also defined in HTML), but those too have proposals to move away from that. ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
Re: [webkit-dev] Request for position on the Origin-Isolation header
Hi, On Thu, Aug 20, 2020 at 8:51 AM Domenic Denicola wrote: > > Hello webkit-dev, > > I've been working on a new header called Origin-Isolation, which is a way of > allowing origins to opt-out of using document.domain and cross-origin > sharing of WebAssembly.Module, and thus allowing the browser to put them into > an origin-keyed agent cluster instead of a site-keyed one. This could in turn > allow the browser to make better behind-the-scenes decisions for process > isolation, or other resource allocation decisions, since sites no longer have > any ways to synchronously communicate cross-origin. > We haven't had a chance to fully review the proposal but we didn't find anything we'd immediately object to. It seems like a reasonable idea. I feel like I saw some discussions of also differentiating based on protocol (treating http://webkit.org and https://webkit.org differently). Do you know you've already had such a discussion and if so what the outcome of that discussion was? - R. Niwa ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
[webkit-dev] Request for position on the Origin-Isolation header
Hello webkit-dev, I've been working on a new header called Origin-Isolation, which is a way of allowing origins to opt-out of using document.domain and cross-origin sharing of WebAssembly.Module, and thus allowing the browser to put them into an origin-keyed agent cluster instead of a site-keyed one. This could in turn allow the browser to make better behind-the-scenes decisions for process isolation, or other resource allocation decisions, since sites no longer have any ways to synchronously communicate cross-origin. Relevant links: * Explainer: https://github.com/WICG/origin-isolation * HTML spec PR: https://github.com/whatwg/html/pull/5545 * Test suite: https://github.com/web-platform-tests/wpt/tree/master/origin-isolation * Gecko "worth prototyping" standards position: https://mozilla.github.io/standards-positions/#domenic-origin-isolation A natural question one might ask is how this relates to COOP+COEP? The explainer has that covered: https://github.com/WICG/origin-isolation#coop--coep Thanks for your time! -Domenic ___ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
