Cross-Origin Opener Policy: restrict-properties #213
Description
Description
To use SharedArrayBuffer or WebAssembly multithreading today we need to enable Cross-Origin Isolation by adding appropriate COOP (same-origin) and COEP (require-corp) headers. But this breaks the existing OAuth flows (social sign-in, payments, etc.) that require popups and communication with popups.
The COOP: restrict-properties proposal is the proposed solution for this but it is still in early phases and not implemented in browsers. However, for Chromium based browsers, an Origin Trial exists to be able to use SharedArrayBuffer without cross-origin isolation until this issue is resolved but nothing like that exists for other browsers. This forces developers to either find workarounds with poor performance or end up not shipping a feature on non-chromium browsers.
It would be really great if the COOP: restrict properties spec can be finalized and implemented across all browsers or maybe till then there could be a way to enable SharedArrayBuffer without Cross Origin Isolation on non-Chromium Browsers as well.
Rationale
Lack of this feature takes away the ability for some websites to use powerful features like:
- WebAssembly multi-threading.
- SharedArrayBuffer (apart from WASM threading for performance, background work, etc.)
- High Precision Timers
- Measure page memory usage (Important for performance/memory intensive applications)
It is really painful to not be able to use these capabilities along with OAuth or popup related flows. It’s not possible to do away with core requirements like social sign-in or payments which need OAuth/popups.
Chromium bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1221127
Specification
https://github.com/hemeryar/explainers/blob/main/coop_restrict_properties.md
whatwg/html#6364
Tests
https://wpt.fyi/results/html/cross-origin-opener-policy/tentative/restrict-properties