-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Early Design Review: Opener Protections #916
Comments
Hi @arichiv @johannhof. We are looking at this to triage it in today's W3C TAG meeting. We appreciate the careful diagrams in the explainer, since they help us understand WHAT you're focusing on, but can you help us with the WHY? Specifically, when would a user encounter this, and how would it change their experience on the web? Something that starts like "a user is visiting xyz type of site and trying to do abc type of action and this can put them at risk to pdq type of attack..." |
A user is visiting a shopping site and trying to check-out. Before cookie/storage partitioning, trackers could detect a conversion in an iframe but now that's not possible. Now, they have an incentive to open a pop-up (with access to unpartitioned storage and cookies) and have the shopping site pass that pop-up (loading some tracking website) information about the conversion without needing user permission. @johannhof if I missed something |
Thanks, @arichiv. That's helpful indeed — we'd be grateful if you would add that to the explainer. |
@arichiv It would be really helpful to have a bit more information in the examples - that you've laid out - so we can understand what risk is being introduced / mitigated against at each step? I think this info is evident to you, but not evident to the reader. Could you build on the example that you provided in the comment above and extend that a bit? |
Can do! I'll try to have these edits in next week. |
* Elaborate on examples w3ctag/design-reviews#916 (comment) * Update README.md * Update README.md Co-authored-by: Johann Hofmann <[email protected]> * Update README.md Co-authored-by: Johann Hofmann <[email protected]> --------- Co-authored-by: Johann Hofmann <[email protected]>
Hi @arichiv thanks for updating those examples - that's much appreciated. You noted in your explainer that there are 2 proposals. Do you have any further info at this point about which proposal will work better? Have you done any testing or do you have any data you can share? |
Unfortunately not yet, I hope to have that in Q2 this year. |
Hi @arichiv thanks for the response. We're trying to figure out how we can best be helpful here. Would it make sense to put this review on hold until you have further information about which approach you're planning to take? Is there further guidance that you'd like from the TAG at this point? |
Putting it on hold for now is reasonable, I think a revised approach might be forthcoming soon. |
Hi @arichiv just pinging this. Should we keep this issue open or are you likely to file a new review request for whatever the revised approach is? Thanks! |
This can be closed out, a somewhat related initial step is at: #956 |
こんにちは TAG-さん!
I'm requesting a TAG review of Opener Protections.
Our goal is to maintain cross-page communication where important to web function while striking a better balance with user-privacy.
This will be done in two steps. First, whenever a frame navigates cross-origin any other windows with a window.opener handle pointing to the navigating frame will have that handle cleared. Second, either (a) any frames with a valid window.opener (or window.top.opener) handle at the time of navigation will have transient storage via a StorageKey nonce instead of access to standard first- and third-party StorageKeys or (b) the opener will be severed by default until user interaction or an API call restores it.
The first proposal should be less disruptive than either of the second, but metrics will need to be gathered on both. Once implemented, these proposals together prevent any synchronous or asynchronous communication between a first- and third-party storage bucket for the same origin. Instead, communication between two buckets for the same origin will only be possible if one of the buckets is transient. This mitigates the threats we are concerned with.
Further details:
We'd prefer the TAG provide feedback as (please delete all but the desired option):
💬 leave review feedback as a comment in this issue and @-notify @arichiv, @johannhof
The text was updated successfully, but these errors were encountered: