Closed mikewest closed 4 years ago
OP = Opener-Policy
OP = Origin-Policy
So maybe a slightly different name, possibly Isolation-Policy
?
EP = Embedder-Policy
CSP = Content-Security-Policy
FP = Feature-Policy
SP = Scripting-Policy
Some ideas for COOP:
@lweichselbaum “WOP” is probably best avoided: https://en.wikipedia.org/wiki/Wop
imo CORP is too similar to CORS. Also you'd get a lot of false positives trying to look it up. Same with COOP.
CORP shipped already, I'd rather not rename that.
Would renaming the others lead to having to find another name for cross-origin isolated?
(COOP already affects same-origin navigations and pretty sure that was discussed as early as a year and a half ago, but naming-wise folks wanted cross-origin in there at the time.)
cc @rniwa @cdumez
Haven't we renamed some of these once already? Every time we rename things it creates a cost in developer confusion, confusing spec discussion trail, etc. Are the current names really bad enough to warrant this?
I want developers to find it easy to discuss and understand what these headers do (good names help, especially when giving a talk); but I've no idea if it's worth a second re-name (there was Cross-Origin-Window-Policy
), or know how many websites currently use them (I think it's fairly low);
As an aside, I quite like Mikes idea of the COOP: no-opener-not-even-for-me
- because I don't really use window.opener
, so having something like Isolation-Policy: noopener
(to use a well known token); or to use a CSP/FP style syntax Isolation-Policy: opener 'none';
, Isolation-Policy: opener 'self';
, Isolation-Policy: opener example.com example.org;
, might be useful, and could be extended in other ways in the future.
I don't think the current name prohibits us from having noopener
or some such as a keyword.
It wouldn’t stop you, but I’d find it a bit weird to use “Cross-Origin-Opener-Policy” to limit the use of window.opener
on the Same-Origin, that’s all :-)
I've talked with a few folks about this offline, and I've been convinced that it's better to just ship what we have given the volume of material (presentations, documents, etc) that we've created over the last year or so. I don't like the names, but I don't dislike them enough to justify more churn. So, let's ship COOP/COEP and fix side-channel attacks today, and bemoan what a bad spelling decision it was in a few years.
COOP and COEP are pretty bad acronyms, and saying "cross-origin whatever" gets old quickly. It also risks being confusing if we ever decide to add something like
COOP: no-opener-not-even-for-me
(as it would then affect same-origin pages).Would it be terrible if we dropped the "cross-origin" bit, and called them "opener-policy" and "embedder-policy" instead?
OPEP is nice to say. Much nicer than "co-op and cope" (or "cope and 'ko ep'" (or more variants)). :)