Cross-Origin-Opener-Policy: restrict-properties

[camillelamy]

Introduction

Describe the challenge or problem on the web you are proposing we address.

Cross-Origin-Opener-Policy is used to sever the relationship between popup and openers, to increase security. "restrict-properties" is a proposed value that restricts the relationship instead of completely severing it. It would enable crossOriginIsolated when paired with COEP.

Developers that want their website to be crossOriginIsolated currently need to give up all relationship with popups. This makes it impossible for websites that use SSO, payments or other APIs that function via popups to be crossOriginIsolated. For these websites, we propose a new COOP value, "restrict-properties" that allows communication via postMessage and closed, while enabling crossOriginIsolated.

COOP "restrict-properties" also allows websites to protect themselves against several XS-Leaks (e.g. frame counting) while supporting popups.

Read the complete Explainer.

Note that this is currently implemented in Chrome in an Origin Trial.

Feedback (Choose One)

Please provide all feedback below.

I welcome feedback in this thread, but encourage you to file bugs against the Explainer.

[bartoszniemczura]

Thanks for introducing the "restrict-properties" mode. Meta is currently experimenting with it in order to enable adoption of COOP in OAuth and payment flows. We're looking forward to enabling it in production version of Chrome as well as other browsers.

[cwilso]

This sounds like support. @camillelamy did you want to transfer this repo to me to move into the WICG org?

[camillelamy]

Yes please! (though maybe hold on until tomorrow as we're still discussing final name in Web App Sec).

[cwilso]

Sounds good.

…

On Thu, Sep 14, 2023, 12:29 PM Camille Lamy ***@***.***> wrote: Yes please! (though maybe hold on until tomorrow as we're still discussing final name in Web App Sec). — Reply to this email directly, view it on GitHub <#114 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAD3Y6OJMNDBTSW4WL5ZPKTX2LMAHANCNFSM6AAAAAA3UKNWYI> . You are receiving this because you commented.Message ID: ***@***.***>

[camillelamy]

@cwilso Could you transfer the repo to the WICG org? It seems we don't have a better name than COOP restrict-properties so let's go with this one.

[cwilso]

@camillelamy of course. You'll need to start this by transferring the repo to me (cwilso), then I can transfer it.

[camillelamy]

Thanks! I should have transferred the repo (now named coop-restrict-properties).

[cwilso]

Transferred: https://github.com/WICG/coop-restrict-properties.