-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cross-Origin Opener Policy: restrict-properties #213
Comments
Is there a plan to move this to a standards-track document, as otherwise this proposal is going to fail on the basis of "not on the standardisation path"? |
ah, see whatwg/html#6364 |
That bug doesn't seem to be strictly about restrict-properties, but having some communication mechanism to solve the issue current coop/coep brings in. |
Thank you for proposing Cross-Origin Opener Policy: restrict-properties for inclusion in Interop 2023. We wanted to let you know that this proposal was not selected to be part of Interop this year. The web standard for this technology has not yet reached a point where inclusion in the Interop project makes sense. Resubmitting a proposal for this feature as part of a future round of Interop would be welcome. For an overview of our process, see the proposal selection summary. Thank you again for contributing to Interop 2023! Posted on behalf of the Interop team. |
Description
To use SharedArrayBuffer or WebAssembly multithreading today we need to enable Cross-Origin Isolation by adding appropriate COOP (same-origin) and COEP (require-corp) headers. But this breaks the existing OAuth flows (social sign-in, payments, etc.) that require popups and communication with popups.
The COOP: restrict-properties proposal is the proposed solution for this but it is still in early phases and not implemented in browsers. However, for Chromium based browsers, an Origin Trial exists to be able to use SharedArrayBuffer without cross-origin isolation until this issue is resolved but nothing like that exists for other browsers. This forces developers to either find workarounds with poor performance or end up not shipping a feature on non-chromium browsers.
It would be really great if the COOP: restrict properties spec can be finalized and implemented across all browsers or maybe till then there could be a way to enable SharedArrayBuffer without Cross Origin Isolation on non-Chromium Browsers as well.
Rationale
Lack of this feature takes away the ability for some websites to use powerful features like:
It is really painful to not be able to use these capabilities along with OAuth or popup related flows. It’s not possible to do away with core requirements like social sign-in or payments which need OAuth/popups.
Chromium bug: https://bugs.chromium.org/p/chromium/issues/detail?id=1221127
Specification
https://github.com/hemeryar/explainers/blob/main/coop_restrict_properties.md
whatwg/html#6364
Tests
https://wpt.fyi/results/html/cross-origin-opener-policy/tentative/restrict-properties
The text was updated successfully, but these errors were encountered: