Severing a document's opener relationship regardless of origin

yoavweiss commented 4 months ago

What problem are you trying to solve?

Some origins can contain different applications with different levels of security requirements. In those cases, it can be beneficial to prevent scripts running in one application from being able to open and script pages of another same-origin application.

In such cases, it can be beneficial for a document to ensure it has a null opener, even if the document that opened it is a same-origin one.

It'd be great if COOP included a value that enabled that.

What solutions exist today?

There are no solutions today to solve this AFAIK.

How would you solve it?

By adding a no-opener-allow-popups value to the Cross-Origin-Opener-Policy header, that results in a null opener when calling creating a new top level travesable.

Anything else?

No response

yoavweiss commented 4 months ago

/cc @camillelamy

annevk commented 4 months ago

It seems a bit unfortunate that the header starts with Cross-Origin-*.

Also, I find omit rather vague given the current values. Are popups allowed for instance?

yoavweiss commented 4 months ago

Also, I find omit rather vague given the current values. Are popups allowed for instance?

Maybe "noopener" would be a better value. From my perspective, popups should be allowed, as long as they have their opener relationship severed.

annevk commented 4 months ago

I think I understand what you mean, but that's a confusing comment given the current set of values. As in, same-origin-allow-popups explicitly does not break the relationship with any popups. It only breaks the incoming cross-origin relationship, if any.

To date we have only used noopener for outgoing relationships, but it might still be reasonable.

I think the other bit that's missing here is some kind of rationale as to why we would want to invest in this capability.

yoavweiss commented 4 months ago

I think the other bit that's missing here is some kind of rationale as to why we would want to invest in this capability.

Fair, I augmented the OP a bit. Let me know if that's sufficient to understand the motivation.

annevk commented 4 months ago

I think that justifies incoming but not outgoing. It also raises some other questions:

What about embedding?
What about channels that are still available, such as storage, BroadcastChannel, shared workers, etc?

yoavweiss commented 4 months ago

I think that justifies incoming but not outgoing

True. Thinking through this, I agree that it doesn't matter for the use case that outgoing opener relationships would be severed.

What about embedding?

CSP frame ancestors's value of 'none' allows sensitive apps to prevent themselves from being framed by other same-origin apps.

It's true that there may be cases where a frame may want to force itself to be sandboxed from the embedder. (in cases where it needs to be framed by some same-origin apps, but not directly scripted by them)

What about channels that are still available, such as storage, BroadcastChannel, shared workers, etc?

Those are presumed to be fine as communication between the different apps is permitted. (they are still the same origin)

yoavweiss commented 4 months ago

I think I understand what you mean, but that's a confusing comment given the current set of values. As in, same-origin-allow-popups explicitly does not break the relationship with any popups. It only breaks the incoming cross-origin relationship, if any.

To date we have only used noopener for outgoing relationships, but it might still be reasonable.

Changed to OP to propose the value to be no-opener-allow-popups. Let me know if that's clearer.

yoavweiss commented 4 months ago

After some prototyping, I'm now less certain that this can be achieved without an opt-in from the opener.

Given that window.open() is sync, and that COOP headers are received later on, it's unclear to me we can sever the relationship from the opener to the openee synchronously.

Maybe we can somehow severe it after the headers are received, but I'm not sure how that would look like without creating race conditions.

/cc @camillelamy @ArthurSonzogni

annevk commented 4 months ago

The opener would have a reference to a closed initial about:blank. That's the same as with COOP today, no?

ArthurSonzogni commented 4 months ago

it's unclear to me we can sever the relationship from the opener to the openee synchronously.

A "frame" can't stand without a document. So when creating an or a popup, they are both starting from the initial empty document. Creating the pair of frame and its initial document is always synchronous.</p> <p>This is only after a subsequent navigation (always asynchronous) that we start receiving headers and can decide to instantiate the next document in a different browsing context group.</p> <blockquote> <p>Maybe we can somehow sever it after the headers are received, but I'm not sure how that would look like without creating race conditions.</p> </blockquote> <p>From the implementation or specification point of view? Modifying <code>ShouldSwapBrowsingInstanceForCrossOriginOpenerPolicy</code> in your patch seems right. Hopefully, the COOP implementation can be reused.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/smaug----"><img src="https://avatars.githubusercontent.com/u/9219935?v=4" />smaug----</a> commented <strong> 4 months ago</strong> </div> <div class="markdown-body"> <p>So how should this work if a new window is first opened with page A and then later navigated to B and only B uses the new header? The Window(Proxy) A (and B?) uses may have plenty of other references than the opener relationship at that point.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/yoavweiss"><img src="https://avatars.githubusercontent.com/u/786187?v=4" />yoavweiss</a> commented <strong> 4 months ago</strong> </div> <div class="markdown-body"> <blockquote> <p>So how should this work if a new window is first opened with page A and then later navigated to B and only B uses the new header? The Window(Proxy) A (and B?) uses may have plenty of other references than the opener relationship at that point.</p> </blockquote> <p>I think that would be similar to the opener relationship when page A opens a same-origin B, which then navigates to a cross-origin document.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/yoavweiss"><img src="https://avatars.githubusercontent.com/u/786187?v=4" />yoavweiss</a> commented <strong> 4 months ago</strong> </div> <div class="markdown-body"> <blockquote> <p>I think that would be similar to the opener relationship when page A opens a same-origin B, which then navigates to a cross-origin document.</p> </blockquote> <p>That's inaccurate. What I should've said is that it would be similar to the opener relationship when page A with a <code>same-origin</code> COOP opens a same-origin B with <code>same-origin</code> COOP, which then navigates to a same-origin document C with a <code>unsafe-none</code> COOP.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/smaug----"><img src="https://avatars.githubusercontent.com/u/9219935?v=4" />smaug----</a> commented <strong> 4 months ago</strong> </div> <div class="markdown-body"> <p>ok, and how does "noopener" in the new value hint about that behavior? Isn't the change you want a tweak to <a href="https://html.spec.whatwg.org/#matching-coop">https://html.spec.whatwg.org/#matching-coop</a> so that in some cases that same origin check wouldn't be done (and nothing to do with noopener as such)? </p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/yoavweiss"><img src="https://avatars.githubusercontent.com/u/786187?v=4" />yoavweiss</a> commented <strong> 4 months ago</strong> </div> <div class="markdown-body"> <p>That's indeed what I did in <a href="https://github.com/whatwg/html/pull/10394/files">https://github.com/whatwg/html/pull/10394/files</a></p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/annevk"><img src="https://avatars.githubusercontent.com/u/1544111?v=4" />annevk</a> commented <strong> 3 months ago</strong> </div> <div class="markdown-body"> <p>I think what @smaug---- is getting at is that he doesn't find <code>noopener</code> a clear name for severing the incoming relationship as it has thus far only been used to sever the outgoing relationship. However, I'm not sure what he would prefer instead. I personally find <code>noopener[-allow-popups]</code> much clearer than the initially proposed <code>omit</code>, but maybe there is something better?</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/smaug----"><img src="https://avatars.githubusercontent.com/u/9219935?v=4" />smaug----</a> commented <strong> 3 months ago</strong> </div> <div class="markdown-body"> <p>That, and also this feels like a distinct feature of COOP itself, just like the existing noopener is a feature of its own.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/yoavweiss"><img src="https://avatars.githubusercontent.com/u/786187?v=4" />yoavweiss</a> commented <strong> 3 months ago</strong> </div> <div class="markdown-body"> <p>Looking at the definition: "A <a href="https://html.spec.whatwg.org/#cross-origin-opener-policy-value">cross-origin opener policy value</a> allows a document which is navigated to in a <a href="https://html.spec.whatwg.org/#top-level-browsing-context">top-level browsing context</a> to force the creation of a new <a href="https://html.spec.whatwg.org/#top-level-browsing-context">top-level browsing context</a>, and a corresponding <a href="https://html.spec.whatwg.org/#tlbc-group">group</a>"</p> <p>That seems to be what we want here. Beyond that, we want to prevent the opener from being able to script the document in question. So to me, this very much feels related.</p> <p>I hesitated a bit on the Report-only mode and how it translates, but after thinking about it, it does seem like something we'd want in order to facilitate deployment here (just like for COOP).</p> <p>Happy to discuss this further :)</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/smaug----"><img src="https://avatars.githubusercontent.com/u/9219935?v=4" />smaug----</a> commented <strong> 3 months ago</strong> </div> <div class="markdown-body"> <p>But noopener itself is already a separate functionality in the platform. Is there a reason to not let opened page pages control opener relationship without binding that functionality to COOP. I can see use cases, at least optimizations, for noopener without COOP. The page could that way try to optimize process usage in browsers, since they are more likely to use separate process when there is no opener relationship. And even more importantly bfcache requires noopener.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/annevk"><img src="https://avatars.githubusercontent.com/u/1544111?v=4" />annevk</a> commented <strong> 3 months ago</strong> </div> <div class="markdown-body"> <p>What additional functionality does COOP have? I thought this was it.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/smaug----"><img src="https://avatars.githubusercontent.com/u/9219935?v=4" />smaug----</a> commented <strong> 3 months ago</strong> </div> <div class="markdown-body"> <p>We discussed about this, and I can live with this. But this needs some documentation outside the normal COOP parts so that people trying to optimize for example bfcache handling can realize there is a way to break opener relationship also from openee side.</p> <p>(Still feels like mixing two different features conceptually, when noopener from caller side is a separate thingie)</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/annevk"><img src="https://avatars.githubusercontent.com/u/1544111?v=4" />annevk</a> commented <strong> 3 months ago</strong> </div> <div class="markdown-body"> <p>Why does that documentation concern not apply to COOP generally?</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/smaug----"><img src="https://avatars.githubusercontent.com/u/9219935?v=4" />smaug----</a> commented <strong> 3 months ago</strong> </div> <div class="markdown-body"> <p>It does. But having something called Cross-Origin-Opener-Policy being possibly in a critical path on enabling bfcache even on same origin pages is a bit confusing.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/annevk"><img src="https://avatars.githubusercontent.com/u/1544111?v=4" />annevk</a> commented <strong> 3 months ago</strong> </div> <div class="markdown-body"> <p>I don't think this value necessarily helps with <code>bfcache</code> though? In particular it still allows the document to open its own popups, which would end up invalidating its cache entry as I understand it.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/smaug----"><img src="https://avatars.githubusercontent.com/u/9219935?v=4" />smaug----</a> commented <strong> 3 months ago</strong> </div> <div class="markdown-body"> <p>Right, but you have the existing noopener for those cases.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/annevk"><img src="https://avatars.githubusercontent.com/u/1544111?v=4" />annevk</a> commented <strong> 3 months ago</strong> </div> <div class="markdown-body"> <p>I guess for bfcache the initial idea of <code>noopener</code> as a value that applies to incoming and outgoing would be quite useful then. If it's indeed the case that bfcache only works if your browsing context group only holds a single top-level browsing context at a time (which sounds about right).</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/annevk"><img src="https://avatars.githubusercontent.com/u/1544111?v=4" />annevk</a> commented <strong> 3 months ago</strong> </div> <div class="markdown-body"> <p>So two things that came up yesterday:</p> <ul> <li>As mentioned above having <code>noopener</code> as a value would be somewhat useful to be able to guarantee bfcache eligibility. cc @rubberyuzu @fergald</li> <li>We need to figure out if this should relate to COEP. This seems somewhat tricky, but I do worry that if we don't explore it now we'll regret it later. cc @camillelamy </li> </ul> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/yoavweiss"><img src="https://avatars.githubusercontent.com/u/786187?v=4" />yoavweiss</a> commented <strong> 2 months ago</strong> </div> <div class="markdown-body"> <blockquote> <ul> <li>As mentioned above having <code>noopener</code> as a value would be somewhat useful to be able to guarantee bfcache eligibility. cc @rubberyuzu @fergald</li> </ul> </blockquote> <p>Should this be a blocker? Or something we can expand to in a separate PR?</p> <blockquote> <ul> <li>We need to figure out if this should relate to COEP. This seems somewhat tricky, but I do worry that if we don't explore it now we'll regret it later. cc @camillelamy</li> </ul> </blockquote> <p>I wonder if @arturjanc or @estark37 have opinions here as well.</p> <p>From my perspective, it seems prudent to start off with this not impacting the crossOriginIsolated state, and then potentially change it once we're convinced it's safe to do so. That would be a backwards compatible change AFAICT.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/ArthurSonzogni"><img src="https://avatars.githubusercontent.com/u/4759106?v=4" />ArthurSonzogni</a> commented <strong> 2 months ago</strong> </div> <div class="markdown-body"> <blockquote> <p><a href="https://github.com/whatwg/html/issues/10471#issuecomment-2237135334">WHATNOT</a> <strong>@yoavweiss will ask @arturjanc and @ArthurSonzogni to comment on the <a href="https://github.com/whatwg/html/issues/10373">https://github.com/whatwg/html/issues/10373</a> issue.</strong></p> </blockquote> <p>I'm happy with the current proposal. Its implementation is almost the same as <code>same-origin-allow-popups</code>, except the <code>"same-origin"</code> part removal, which makes it trivial to implement and maintain.</p> <p>Regarding its interaction with COEP and process isolation, I agree that taking the most restrictive approach initially is wise (e.g. not giving any new capabilities). We can always loosen restrictions later if needed.</p> <p>I echo the concerns about potential developer misunderstandings regarding <code>noopener-allow-popups</code>. While it severs the opener/openee relationship, it's crucial to emphasize that it does not create a secure sandbox between same-origin documents. Web security primarily focuses on cross-origin threats, and assuming strong same-origin isolation would be a dangerous assumption.</p> <p>I'm glad to see a disclaimer has been added to the spec PR, highlighting that <code>noopener-allow-popups</code> offers no security guarantees between same-origin documents. Developers must be reminded to avoid including or executing untrusted content on their origin, regardless of this feature.</p> <p>I read the discussion about its potential benefits for BFCache, and Yoav's question about any potential delays or blockers this might introduce. My understanding is that this proposal creates more opportunities for BFCache utilization, as no known implementations support multiple BrowsingContexts within the same BrowsingContextGroup. This seems like a clear collateral win, without any drawbacks or necessary modifications to the proposal itself.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/arturjanc"><img src="https://avatars.githubusercontent.com/u/665379?v=4" />arturjanc</a> commented <strong> 1 month ago</strong> </div> <div class="markdown-body"> <blockquote> <blockquote> <p>We need to figure out if this should relate to COEP. This seems somewhat tricky, but I do worry that if we don't explore it now we'll regret it later. cc @camillelamy I wonder if @arturjanc or @estark37 have opinions here as well.</p> </blockquote> </blockquote> <p>IIUC the proposed COOP mode is more restrictive than COOP <code>same-origin</code> because it severs both the relationship to any popups and to the window's opener. So, at least at first glance, it should be safe to allow documents with this COOP value to unlock the <code>crossOriginIsolated</code> state (if combined with COEP).</p> <p>That said, I haven't fully thought through the interactions between different COOP modes, so there's a chance that there are tricky edge cases here. As @yoavweiss mentioned above, starting without unlocking <code>crossOriginIsolated</code> is backwards-compatible; in the future, if we can convince ourselves that this is indeed safe (i.e. that there's no situation in which this value is more permissive than COOP <code>same-origin</code>), we can always relax the restriction and let it enable cross-origin isolation.</p> </div> </div> <div class="page-bar-simple"> </div> <div class="footer"> <ul class="body"> <li>© <script> document.write(new Date().getFullYear()) </script> Githubissues.</li> <li>Githubissues is a development platform for aggregating issues.</li> </ul> </div> <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script> <script src="/githubissues/assets/js.js"></script> <script src="/githubissues/assets/markdown.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script> <script> hljs.highlightAll(); </script> </body> </html>

whatwg / html