-
Notifications
You must be signed in to change notification settings - Fork 22.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add docs for HTTP Permissions-Policy
header cross-origin-isolated
directive
#36780
Conversation
Preview URLs (9 pages)
External URLs (2)URL:
(comment last updated: 2024-12-22 23:38:17) |
files/en-us/web/http/headers/permissions-policy/cross-origin-isolated/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/http/headers/permissions-policy/cross-origin-isolated/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/http/headers/permissions-policy/cross-origin-isolated/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/http/headers/permissions-policy/cross-origin-isolated/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/http/headers/permissions-policy/cross-origin-isolated/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/api/performance/measureuseragentspecificmemory/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/javascript/reference/global_objects/sharedarraybuffer/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/http/headers/permissions-policy/cross-origin-isolated/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/http/headers/cross-origin-opener-policy/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/http/headers/cross-origin-embedder-policy/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/api/workerglobalscope/crossoriginisolated/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/http/headers/cross-origin-embedder-policy/index.md
Outdated
Show resolved
Hide resolved
- {{HTTPHeader("Cross-Origin-Opener-Policy")}} with `same-origin` as value (protects your origin from attackers) | ||
- {{HTTPHeader("Cross-Origin-Embedder-Policy")}} with `require-corp` or `credentialless` as value (protects victims from your origin) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The "(protects your origin from attackers)" and same on the other header are wrong/pointless. I will fix.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The explanations here makes sense to me though. With COOP your site can't be cross-origin accessed by another opener. With COEP you can't cross-origin access another site.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, so Cross-Origin-Opener-Policy
certainly protects your origin from attackers, since it allows you to prevent your document from loading cross origin resources in the same BCG or being loaded into same BCG as cross origin documents, and severs the relationships.
The embedder policy ensures that your document only loads those documents that have opted into CORS, or doesn't send them credentials. I guess that you could look at that as "protect victims from your origin"? I'm not actually entirely sure why that has value.
I am sure of two things:
- If you don't know about these before, having the text here won't help you.
- None of this should be here IMO. I have moved the relevant docs into the cross origin isolation doc and cross linked.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Upshot, love an explanation of why COEP is useful other than you now need it to access certain APIs. But either way, it won't change this doc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
a useful link for Cross-Origin isolation by stackblitz - https://blog.stackblitz.com/posts/cross-browser-with-coop-coep/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, that is cool. A little out of date but well worth linking.
@skyclouds2001 I have rewritten this to my taste, mostly to remove some of the duplication around these headers into the There is quite a lot of change so now I can't be objective. Can we swap roles now so you review my changes and make sure they largely make sense? |
#37287 fired for a feature request for a new glossary for Cross-Origin isolation |
I'm not sure whether or not this is a good idea. I actually tried it when I made the last round of edits. The question was really "what should we include". If you include all the information in the window.crossOriginIsolated property then you have to duplicate most of it anyway for this topic - which defeats the purpose. If you don't include it, then it doesn't really help having an extra topic. So "maybe". Wouldn't block this on that. @skyclouds2001 Have you had a chance to review my changes? I'm shortly on holiday and I don't want to leave this dangling if we can avoid it. |
files/en-us/web/api/workerglobalscope/crossoriginisolated/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/api/workerglobalscope/crossoriginisolated/index.md
Outdated
Show resolved
Hide resolved
Sure! |
I think the glossary could include details about the cross-origin isolated, most content could be extract from the current docs for |
Let me know when you have finished your review. We could try do the glossary in #37287 now, or hold off. I'm tempted to merge this and then do the glossary. |
Worth a try, but do we do it now, or after merging this? |
I think it is better to do after merge this first, or the change will be too huge. |
``` | ||
|
||
To check if cross origin isolation has been successful, you can test against the {{domxref("Window.crossOriginIsolated")}} property or the {{domxref("WorkerGlobalScope.crossOriginIsolated")}} property available to window and worker contexts: | ||
To use shared memory your document must be in a [secure context](/en-US/docs/Web/Security/Secure_Contexts) and {{domxref("Window.crossOriginIsolated","cross-origin isolated","","nocode")}}. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To use shared memory your document must be in a [secure context](/en-US/docs/Web/Security/Secure_Contexts) and {{domxref("Window.crossOriginIsolated","cross-origin isolated","","nocode")}}. | |
To use shared memory, your document must be in a [secure context](/en-US/docs/Web/Security/Secure_Contexts) and {{domxref("Window.crossOriginIsolated", "cross-origin isolated", "", 1)}}. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While the only requirement is that the value of the parameter is set, "nocode" is the defacto standard on MDN. The reason being that it is obvious to authors reading the source what the intent is - so it is better.
files/en-us/web/http/headers/permissions-policy/cross-origin-isolated/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/http/headers/permissions-policy/cross-origin-isolated/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/http/headers/cross-origin-opener-policy/index.md
Outdated
Show resolved
Hide resolved
files/en-us/web/http/headers/cross-origin-embedder-policy/index.md
Outdated
Show resolved
Hide resolved
And there is some disagreement on the glossary issue about how to approach it. |
Co-authored-by: skyclouds2001 <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for all your work on this @skyclouds2001 - and for the follow on review. Merging now.
Description
Motivation
Additional details
https://html.spec.whatwg.org/multipage/infrastructure.html#cross-origin-isolated-feature
https://html.spec.whatwg.org/multipage/webappapis.html#dom-crossoriginisolated-dev
https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md?plain=1#L37
Related issues and pull requests