-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[COOP] Header syntax #5172
Comments
Both should be forward-compatible with Structured Headers. I'm not sure we want to fully depend on that until it's ready. |
So that suggests treating parameters as "fail parsing", for now. |
What?? That suggests the opposite to me. Why would you want browsers that implement the non-SH spec to be unable to parse the SH version? |
That is how other equivalent headers work today that we might upgrade to SH once it's ready. Making them SH-compatible now while that might still change seems unwise. |
To restate, my preferred way of doing this for both COOP and COEP is to start with a byte-case-sensitive comparison of the value with the allowed strings and migrate to SH once that is an RFC as that's effectively the point IETF commits to not make incompatible changes. It seems highly unlikely a byte-case-sensitive comparison of these values will be incompatible with a future likely more permissive SH syntax. |
It would be incompatible. Consider the following sequence of events:
This means that, in general, either sites will start cutting out browsers that don't implement new features (e.g., you can only play this SAB-using game in Browser X), or sites will be unable to deploy any updates to COOP until the long tail of byte-case-sensitive browsers fall off of their usage numbers. |
I think incompatibility along those lines is acceptable as I expect we'll update to SH long before we'll make significant changes to these features. And also, I think it would be worse to be stuck with something that's almost SH, but not quite because SH changed. |
What's the timeline for shipping this? SH is Almost Done™️. |
Some of it has already shipped ( |
We may want to use our structured header parser in Chromium for these headers (certainly for Origin Policy) from the beginning, although I guess with the direction things are currently going that means we would intentionally fail some web platform tests. Perhaps it would be good to get WebKit's opinion as a tie-breaker for what the standard/tests should say. |
The timeline for wanting to extend any of these headers with new parameters is, as far as I know, unknown or "maybe in a few years". Correct? |
We haven't quite settled on how to do reporting. I think the simplest would be a distinct header, but if we end up flipping on that it would be within a shorter period. But again, I don't think we can start using parameter syntax until SH is |
Ah right, I forgot about the reporting use case. I agree with @annevk, but I don't have a strong opinion on this. In particular, if @mnot thinks it's OK for browsers to ship with SH parsers and specs to start using them, then I think it's fine to do so. Until then, it seems better to let SH bake so it can make syntax changes without having to consider possible compat issues from early adopters. |
Bumping this due to a recent discussion we had on how to add reporting to COOP. It looks like there is some agreement that COOP should be a structured header to support report-to information. WDYT about changing the spec accordingly? Can we move forward on this? If not, would it make sense to at least implement it in a SH compatible way? |
It should probably be tackled in #5334 at this point. I agree that we should do it. It'd be fine if dedicated parser tests land ahead of the change. |
Fixes whatwg#3740. Closes whatwg#4580. Need to check again if it closes them: * whatwg#4921 * whatwg#5168 * whatwg#5172 * whatwg#5198 (probably not?) Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
Fixes whatwg#3740. Closes whatwg#4580. Need to check again if it closes them: * whatwg#4921 * whatwg#5168 * whatwg#5172 * whatwg#5198 (probably not?) Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
Fixes whatwg#3740. Closes whatwg#4580. Need to check again if it closes them: * whatwg#4921 * whatwg#5168 * whatwg#5172 * whatwg#5198 (probably not?) Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
Fixes whatwg#3740. Closes whatwg#4580. Need to check again if it closes them: * whatwg#4921 * whatwg#5168 * whatwg#5172 * whatwg#5198 (probably not?) Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
FWIW - SF (nee SH) is now in the RFC Editor queue. |
I guess we should update all our cross references to "F" instead of "H"... |
This commit adds the notion of cross-origin opener policy (COOP). COOP allows websites to restrict which origins they share their browsing context group with. annevk wrote a first draft of the behavior of COOP here: https://gist.github.com/annevk/6f2dd8c79c77123f39797f6bdac43f3e. This takes that draft and merges it into the spec, with many updates along the way. Closes whatwg#3740. Closes whatwg#4580. Closes whatwg#4921. Closes whatwg#5172. Co-authored-by: clamy <clamy@chromium.org> Co-authored-by: Anne van Kesteren <annevk@annevk.nl> Co-authored-by: Domenic Denicola <d@domenic.me>
The COOP proposal clearly defines the
Cross-Origin-Opener-Policy
HTTP response header as a non-structured-header with exactly three valid values. However, @domenic has recently observed:I can't speak to the first observation, but parity with COEP does seem valuable. Since the parsing rules for COEP are currently in flux, I wanted to see if a similar change should be considered for COOP.
The text was updated successfully, but these errors were encountered: