Closed mikewest closed 4 years ago
craigfrancis
commented
4 years ago OP = Opener-Policy
OP = Origin-PolicySo maybe a slightly different name, possibly Isolation-Policy?
EP = Embedder-Policy
CSP = Content-Security-Policy
FP = Feature-Policy
SP = Scripting-Policy
lweichselbaum
commented
4 years ago Some ideas for COOP:
bathos
commented
4 years ago @lweichselbaum “WOP” is probably best avoided: https://en.wikipedia.org/wiki/Wop
Yay295
commented
4 years ago imo CORP is too similar to CORS. Also you'd get a lot of false positives trying to look it up. Same with COOP.
annevk
commented
4 years ago CORP shipped already, I'd rather not rename that.
Would renaming the others lead to having to find another name for cross-origin isolated?
(COOP already affects same-origin navigations and pretty sure that was discussed as early as a year and a half ago, but naming-wise folks wanted cross-origin in there at the time.)
cc @rniwa @cdumez
wanderview
commented
4 years ago Haven't we renamed some of these once already? Every time we rename things it creates a cost in developer confusion, confusing spec discussion trail, etc. Are the current names really bad enough to warrant this?
craigfrancis
commented
4 years ago I want developers to find it easy to discuss and understand what these headers do (good names help, especially when giving a talk); but I've no idea if it's worth a second re-name (there was Cross-Origin-Window-Policy), or know how many websites currently use them (I think it's fairly low);
As an aside, I quite like Mikes idea of the COOP: no-opener-not-even-for-me - because I don't really use window.opener, so having something like Isolation-Policy: noopener (to use a well known token); or to use a CSP/FP style syntax Isolation-Policy: opener 'none';, Isolation-Policy: opener 'self';, Isolation-Policy: opener example.com example.org;, might be useful, and could be extended in other ways in the future.
annevk
commented
4 years ago I don't think the current name prohibits us from having noopener or some such as a keyword.
craigfrancis
commented
4 years ago It wouldn’t stop you, but I’d find it a bit weird to use “Cross-Origin-Opener-Policy” to limit the use of window.opener on the Same-Origin, that’s all :-)
mikewest
commented
4 years ago I've talked with a few folks about this offline, and I've been convinced that it's better to just ship what we have given the volume of material (presentations, documents, etc) that we've created over the last year or so. I don't like the names, but I don't dislike them enough to justify more churn. So, let's ship COOP/COEP and fix side-channel attacks today, and bemoan what a bad spelling decision it was in a few years.
COOP and COEP are pretty bad acronyms, and saying "cross-origin whatever" gets old quickly. It also risks being confusing if we ever decide to add something like
COOP: no-opener-not-even-for-me(as it would then affect same-origin pages).Would it be terrible if we dropped the "cross-origin" bit, and called them "opener-policy" and "embedder-policy" instead?
OPEP is nice to say. Much nicer than "co-op and cope" (or "cope and 'ko ep'" (or more variants)). :)