Contact emails [email protected] [email protected]
Explainer https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k Specification https://tc39.github.io/ecma262/#sec-sharedarraybuffer-objects Design docs Including the new security requirements https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer Discussion how and what to gate https://github.com/whatwg/html/issues/4732 Summary ‘SharedArrayBuffers’ (SABs) on desktop platforms are restricted to cross-origin isolated environments, matching the behavior we've recently shipped on Android and Firefox. We've performed that change in Chrome 92. A reverse OT was started to give developers the option to use SABs in case they are not able to adopt cross origin isolation yet. Updates We’ve received lots of feedback that adopting COOP/COEP is difficult (details above). Nevertheless we made substantial progress towards removing the usage - Chromestatus is showing that SABs in non-COI context are being used on ~0.027% <https://chromestatus.com/metrics/feature/timeline/popularity/3721> page loads (down from >2.5%). The API owners asked to prove substantial progress to allow an extension until M113 (aimed OT start of the last feature), which I’m happy to share. Once we’ve started the OT I’ll come back to this thread sharing feedback and the final deprecation timeline. 1. COEP:credentialless <https://github.com/WICG/credentiallessness> - https://crbug.com/1218896 COEP:credentialless was shipped in M96. (Adoption is already increasing to 0.0032% <https://chromestatus.com/metrics/feature/popularity#CrossOriginEmbedderPolicyCredentialless> of main pages) 1. COOP: restrict-properties <https://github.com/hemeryar/explainers/blob/main/coop_restrict_properties.md> - launch bug <https://bugs.chromium.org/p/chromium/issues/detail?id=1347385> - I2E <https://groups.google.com/a/chromium.org/g/blink-dev/c/JrMX5H2PX_o/m/JipeWijACAAJ> Developers who depend on pop ups to 3P for e.g. identity or payment flows can’t currently deploy cross-origin-isolation. To allow crossOriginIsolated pages to use popup-based OAuth/payment flows, we plan to have a new COOP value: “restrict-properties” that enables crossOriginIsolation when used in conjunction with COEP. This new value restricts cross-window access to just postMessage and closed instead of completely severing popup access. Spec work is ongoing (see discussion <https://github.com/whatwg/html/issues/6364>, and previous iteration PR <https://github.com/whatwg/html/pull/7783>) and requires partners input to convince others that it is the correct solution. Initial design and implementation met some issues and we got back to the design stage after missing the OT in 109. We are iterating on it with support from Chrome Security Architecture. See the design doc <https://docs.google.com/document/d/1qXlC6HZXd6UDokI8_cHYAVaXhHop0Ia6-z3fZl6saX8/edit> and this discussion doc <https://docs.google.com/document/d/1gJNFK_hOhQ-nbrAVi5QvoS32QOutOR1IrXHLWIjade4/edit> for details. We are now planning to have an OT in early 2022. Other vendors and TAG need to be queried again for standardization once the new design is considered good, but that is not required to start the OT, since feedback will very likely have influence. This feature is the last puzzle piece to make COI adoption possible across various use cases. 1. Anonymous iframes <https://github.com/WICG/anonymous-iframe> - launch bug <https://crbug.com/1342928> - I2P <https://groups.google.com/a/chromium.org/g/blink-dev/c/CjrLTguZuO4/m/kEO65RvCAAAJ> - I2E <https://groups.google.com/a/chromium.org/g/blink-dev/c/-7H19EHTenU/m/oWfFm21eAAAJ> - I2S <https://groups.google.com/a/chromium.org/g/blink-dev/c/twjmdCcfHYM> Anonymous iframes are a generalization of COEP credentialless to support 3rd party iframes. Instead of waiting for the third party to opt-in into COEP, it allows the embedder to load the public version of iframe without requiring COEP. The anonymous iframe’s document is assigned a new and ephemeral storage/network/cookie partition. The Anonymous iframes <https://github.com/WICG/anonymous-iframe> OT started in M106 and we’ve received positive <https://docs.google.com/document/d/1WzOrxIQnq9sTFkou9P8GshrQSeyO3MBdSvYqJjP410Q/edit#bookmark=id.cm0t44nhlzwt> feedback from developers. We would like to address issue/5 <https://github.com/WICG/anonymous-iframe/issues/5> and enable the feature in M110 The spec: https://wicg.github.io/anonymous-iframe/#specification (PRs: 1 <https://github.com/whatwg/html/pull/7695>,2 <https://github.com/whatwg/fetch/pull/1416>,3 <https://github.com/whatwg/storage/pull/139>) Cheers, Lutz -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAH0ixBOYR2OC1O1wh1ggsLo9Ah_CN5u9fHGOdfB-KrqZPAJ3wA%40mail.gmail.com.
