search

WICG / anonymous-iframe

Give developers the ability to embed third party HTML documents inside a new and ephemeral context. In return, COEP embedding rules can be relaxed. Thanks to anonymous iframe, developers using COEP can now embed third party content that do not.
Other
25 stars 9 forks source link

Consider to rename "anonymous" to "credentialless" or some such #5

Closed smaug---- closed 1 year ago

smaug---- commented 2 years ago

Seems like the spec doesn't try to create really anonymous iframes (anonymous feels rather strong word) but rather just credentialless. The iframes aren't blocked from accessing each others or anything like that and they can access iframes which aren't anonymous.

(this was discussed during a Mozilla meeting on what we think of the proposal)

ArthurSonzogni commented 2 years ago

Thanks so much for taking the time to look into AnonymousIframe proposal!

This question makes sense. Initially, it used to be credentials=XXX. Then in a similar message than yours, but in the opposite direction, it was proposed to switch toward anonymous. Here is the rational: https://github.com/camillelamy/explainers/issues/20

What would be your prefered direction, without falling into the previous drawbacks?

ArthurSonzogni commented 2 years ago

@smaug---- , @sefeng211 Given https://github.com/camillelamy/explainers/issues/20, do you think "anonymous" is good enough? Or do you believe something else would be a better fit?

smaug---- commented 2 years ago

credentialless wouldn't have the drawbacks

smaug---- commented 2 years ago

Though, https://github.com/WICG/anonymous-iframe/issues/4 may require something more complicated.

(In general I'm rather worried about adding yet another allow/disallow/tweak-features type of attribute to iframe and not reuse existing ones)

ArthurSonzogni commented 2 years ago

@smaug---- I would be happy to switch to a different attribute. Do you have some proposition?

smaug---- commented 2 years ago

credentialless. https://github.com/camillelamy/explainers/issues/20 even suggested something similar 'clean-credentials'

But I'm not yet convinced we want yet another attribute to control how the iframe behaves. One might want to use sandbox attribute.

ArthurSonzogni commented 2 years ago

Yes

<iframe credentialless>

is nice too. We can switch again if you think this is better. What others are thinking? (@mikewest, @camillelamy, @annevk)

If we got this way, the windows.anonymouslyFramed would also need a rename. Not sure how.

But I'm not yet convinced we want yet another attribute to control how the iframe behaves. One might want to use sandbox attribute.

Okay, I will continue on: https://github.com/mozilla/standards-positions/issues/628#issuecomment-1202300757

RByers commented 1 year ago

Any update? Seems like some resolution to this issue should block shipping, right?

camillelamy commented 1 year ago

I am happy with <iframe credentialless>. windows.anonymouslyFramed could become window.credentialless maybe?

annevk commented 1 year ago

The one nit I have with credentialless is that in the context of COEP it only applies to "no-cors" whereas here it would cast a wider net. We'd want to explicitly document that difference.

ArthurSonzogni commented 1 year ago

Similar to https://github.com/WICG/anonymous-iframe/issues/1 (window.anonymous usage in the wild) I checked window.credentialless usage in the http archive:

#standardSQL
SELECT page, url
FROM `httparchive.response_bodies.2022_10_01_mobile`
WHERE STRPOS(body, 'window.credentialless') > 0

It returned no occurrence. It seems this won't be an issue using this name.

ArthurSonzogni commented 1 year ago

Also pleased with the rename. I will update the explainer/spec/chrome.

The one nit I have with credentialless is that in the context of COEP it only applies to "no-cors" whereas here it would cast a wider net. We'd want to explicitly document that difference.

Thanks for mentioning it! I will make sure to add paragraph while updating it.

ArthurSonzogni commented 1 year ago

Okay. So this is mostly done:

  1. @annevk comment 5 addressed here
  2. WPT tests rename: patch
  3. Spec rename: https://github.com/WICG/anonymous-iframe/pull/13

What is left:

@MikeWest also asked what about using window.credentiallesslyFramed instead window.credentialless.

I wonder if there's the potential for confusion between this and COEP: credentialless... Should we call this something like credentiallesslyFramed?

I don't really have a strong opinion.

ArthurSonzogni commented 1 year ago

I am done updating the PRs. Only the HTML required an update. I think we can mark it as closed. Renaming the repository and the WPT directory is on its way