Closed yoavweiss closed 3 months ago
annevk
commented
5 months ago This seems reasonable. I suggest we mark this as "position: support" one week from now. I know @smaug---- has given some input on disliking the proposed name, but I'm not really sure what would be a better fit.
smaug----
commented
5 months ago FWIW, I'm mostly concerned that the noopener part seems to be rather distinct feature. Coupling that with COOP feels weird.
yoavweiss
commented
4 months ago This was discussed at the June 20th WHATNOT call.
WebKittens
@annevk
Title of the spec
noopener-allow-popups value in COOP
URL to the spec
https://github.com/whatwg/html/pull/10394
URL to the spec's repository
https://github.com/whatwg/html
Issue Tracker URL
https://github.com/whatwg/html/issues/10373
Explainer URL
https://github.com/whatwg/html/pull/10394#issue-2335131210
TAG Design Review URL
https://github.com/w3ctag/design-reviews/issues/964
Mozilla standards-positions issue URL
https://github.com/mozilla/standards-positions/issues/1037
WebKit Bugzilla URL
https://bugs.webkit.org/show_bug.cgi?id=275147
Radar URL
rdar://129664445
Description
This proposal would enable a document to ensure it can't be scripted by other same-origin documents that have opened it.
Some origins can contain different applications with different levels of security requirements. In those cases, it can be beneficial to prevent scripts running in one application from being able to open and script pages of another same-origin application.
The noopener-allow-popups Cross-Origin-Opener-Policy value severs the opener relationship between the document loaded with this policy and its opener. At the same time, this document can open further documents (as the "allow-popups" in the name suggests) and maintain its opener relationship with them, assuming that their COOP policy allows it.