Open yoavweiss opened 4 weeks ago
annevk
commented
2 weeks ago This seems reasonable. I suggest we mark this as "position: support" one week from now. I know @smaug---- has given some input on disliking the proposed name, but I'm not really sure what would be a better fit.
smaug----
commented
2 weeks ago FWIW, I'm mostly concerned that the noopener part seems to be rather distinct feature. Coupling that with COOP feels weird.
yoavweiss
commented
3 days ago This was discussed at the June 20th WHATNOT call.
WebKittens
@annevk
Title of the spec
noopener-allow-popups value in COOP
URL to the spec
https://github.com/whatwg/html/pull/10394
URL to the spec's repository
https://github.com/whatwg/html
Issue Tracker URL
https://github.com/whatwg/html/issues/10373
Explainer URL
https://github.com/whatwg/html/pull/10394#issue-2335131210
TAG Design Review URL
https://github.com/w3ctag/design-reviews/issues/964
Mozilla standards-positions issue URL
https://github.com/mozilla/standards-positions/issues/1037
WebKit Bugzilla URL
https://bugs.webkit.org/show_bug.cgi?id=275147
Radar URL
No response
Description
This proposal would enable a document to ensure it can't be scripted by other same-origin documents that have opened it.
Some origins can contain different applications with different levels of security requirements. In those cases, it can be beneficial to prevent scripts running in one application from being able to open and script pages of another same-origin application.
The noopener-allow-popups Cross-Origin-Opener-Policy value severs the opener relationship between the document loaded with this policy and its opener. At the same time, this document can open further documents (as the "allow-popups" in the name suggests) and maintain its opener relationship with them, assuming that their COOP policy allows it.