Add a noopener-allow-popups value to COOP

yoavweiss · web-flow · commit 60d1874c748e · 2024-10-08T14:22:34.000+02:00
Some origins can contain different applications with different levels of security requirements. In those cases, it can be beneficial to prevent scripts running in one application from being able to open and script pages of another same-origin application. In such cases, it can be beneficial for a document to ensure its opener cannot script it, even if the opener document is a same-origin one. This adds a noopener-allow-popups Cross-Origin-Opener-Policy value that severs the opener relationship between the document loaded with this policy and its opener. At the same time, this document can open further documents (as the "allow-popups" in the name suggests) and maintain its opener relationship with them, assuming that their COOP policy allows it. Explainer: https://gist.github.com/yoavweiss/c7b61e97e6f8d207be619f87ab96ead5. Fixes #10373.
diff --git a/source b/source
@@ -86803,6 +86803,46 @@ dictionary <dfn dictionary>DragEventInit</dfn> : <span>MouseEventInit</span> {
     `<code>Cross-Origin-Embedder-Policy</code>` header whose value is <span>compatible with
     cross-origin isolation</span> together.</p>
    </dd>
+
+   <dt>"<dfn><code data-x="coop-noopener-allow-popups">nooopener-allow-popups</code></dfn>"</dt>
+   <dd>
+    <p>This forces the creation of a new <span>top-level browsing context</span> for the document,
+    regardless of its predecessor.</p>
+
+    <div class="note">
+     <p>While including a <code
+     data-x="coop-noopener-allow-popups">nooopener-allow-popups</code> value severs the opener
+     relationship between the document on which it is applied and its opener, it does not create a
+     robust security boundary between those same-origin documents.</p>
+
+     <p>Other risks from same-origin applications include:</p>
+
+     <ul>
+      <li><p>Same-origin requests fetching the document's content — could be mitigated through
+      Fetch Metadata filtering. <ref>FETCHMETADATA</ref></p></li>
+      <li><p>Same-origin framing - could be mitigated through <code>X-Frame-Options</code> or CSP
+      <code data-x="frame-ancestors directive">frame-ancestors</code>.</p></li>
+      <li><p>JavaScript accessible cookies - can be mitigated by ensuring all cookies are <code
+      data-x="">httponly</code>.</p></li>
+      <li><p><code data-x="dom-localStorage">localStorage</code> access to sensitive data.</p></li>
+      <li><p>Service worker installation.</p></li>
+      <li><p><a href="https://w3c.github.io/ServiceWorker/#cache">Cache API</a> manipulation or
+      access to sensitive data. <ref>SW</ref></p></li>
+      <li><p><code data-x="">postMessage</code> or <code>BroadcastChannel</code> messaging that
+      exposes sensitive information.</p></li>
+      <li><p>Autofill which may not require user interaction for same-origin documents.</p></li>
+     </ul>
+
+     <p>Developers using <code data-x="coop-noopener-allow-popups">nooopener-allow-popups</code>
+     need to make sure that their sensitive applications don't rely on client-side features
+     accessible to other same-origin documents, e.g., <code
+     data-x="dom-localStorage">localStorage</code> and other client-side storage APIs,
+     <code>BroadcastChannel</code> and related same-origin communication mechanisms. They also need
+     to make sure that their server-side endpoints don't return sensitive data to non-navigation
+     requests, whose response content is accessible to same-origin
+     documents.</p>
+    </div>
+   </dd>
   </dl>
 
   <div w-nodev>
@@ -86826,18 +86866,21 @@ dictionary <dfn dictionary>DragEventInit</dfn> : <span>MouseEventInit</span> {
   </ul>
 
   <p>To <dfn data-x="matching-coop">match opener policy values</dfn>, given an <span>opener policy
-  value</span> <var>A</var>, an <span>origin</span> <var>originA</var>, an <span>opener policy
-  value</span> <var>B</var>, and an <span>origin</span> <var>originB</var>:</p>
+  value</span> <var>documentCOOP</var>, an <span>origin</span> <var>documentOrigin</var>, an
+  <span>opener policy value</span> <var>responseCOOP</var>, and an <span>origin</span>
+  <var>responseOrigin</var>:</p>
 
   <ol>
-   <li><p>If <var>A</var> is "<code data-x="coop-unsafe-none">unsafe-none</code>" and <var>B</var>
-   is "<code data-x="coop-unsafe-none">unsafe-none</code>", then return true.</p></li>
+   <li><p>If <var>documentCOOP</var> is "<code data-x="coop-unsafe-none">unsafe-none</code>" and
+   <var>responseCOOP</var> is "<code data-x="coop-unsafe-none">unsafe-none</code>", then return
+   true.</p></li>
 
-   <li><p>If <var>A</var> is "<code data-x="coop-unsafe-none">unsafe-none</code>" or <var>B</var>
-   is "<code data-x="coop-unsafe-none">unsafe-none</code>", then return false.</p></li>
+   <li><p>If <var>documentCOOP</var> is "<code data-x="coop-unsafe-none">unsafe-none</code>" or
+   <var>responseCOOP</var> is "<code data-x="coop-unsafe-none">unsafe-none</code>", then return
+   false.</p></li>
 
-   <li><p>If <var>A</var> is <var>B</var> and <var>originA</var> is <span>same origin</span> with
-   <var>originB</var>, then return true.</p></li>
+   <li><p>If <var>documentCOOP</var> is <var>responseCOOP</var> and <var>documentOrigin</var> is
+   <span>same origin</span> with <var>responseOrigin</var>, then return true.</p></li>
 
    <li><p>Return false.</p></li>
   </ol>
@@ -86911,6 +86954,11 @@ dictionary <dfn dictionary>DragEventInit</dfn> : <span>MouseEventInit</span> {
      <var>policy</var>'s <span data-x="coop-struct-value">value</span> to "<code
      data-x="coop-same-origin-allow-popups">same-origin-allow-popups</code>".</p></li>
 
+     <li><p>If <var>parsedItem</var>[0] is "<code
+     data-x="coop-noopener-allow-popups">noopener-allow-popups</code>", then set
+     <var>policy</var>'s <span data-x="coop-struct-value">value</span> to "<code
+     data-x="coop-noopener-allow-popups">noopener-allow-popups</code>".</p></li>
+
      <li><p>If <var>parsedItem</var>[1]["<code data-x="coop-report-to">report-to</code>"] <span
      data-x="map exists">exists</span> and it is a string, then set <var>policy</var>'s <span
      data-x="coop-struct-report-endpoint">reporting endpoint</span> to
@@ -86974,25 +87022,22 @@ dictionary <dfn dictionary>DragEventInit</dfn> : <span>MouseEventInit</span> {
   <h5 id="browsing-context-group-switches-due-to-cross-origin-opener-policy">Browsing context group
   switches due to opener policy</h5>
 
-  <p>To <dfn data-x="check-browsing-context-group-switch-coop-value">check if COOP values require a
-  browsing context group switch</dfn>, given a boolean <var>isInitialAboutBlank</var>, two <span
+  <p>To <dfn data-x="check-browsing-context-group-switch-coop-value-popup">check if popup COOP
+  values require a browsing context group switch</dfn>, given two <span
   data-x="origin">origins</span> <var>responseOrigin</var> and
   <var>activeDocumentNavigationOrigin</var>, and two <span data-x="coop-struct-value">opener policy
   values</span> <var>responseCOOPValue</var> and <var>activeDocumentCOOPValue</var>:</p>
-
   <ol>
-   <li><p>If the result of <span data-x="matching-coop">matching</span>
-   <var>activeDocumentCOOPValue</var>, <var>activeDocumentNavigationOrigin</var>,
-   <var>responseCOOPValue</var>, and <var>responseOrigin</var> is true, return false.</p></li>
+   <li><p><var>responseCOOPValue</var> is "<code
+   data-x="coop-noopener-allow-popups">noopener-allow-popups</code>", then return true.</p></li>
 
    <li>
     <p>If all of the following are true:</p>
 
     <ul>
-     <li><p><var>isInitialAboutBlank</var>;</p></li>
-
      <li><p><var>activeDocumentCOOPValue</var>'s <span data-x="coop-struct-value">value</span> is
-     "<code data-x="coop-same-origin-allow-popups">same-origin-allow-popups</code>"; and</p></li>
+     "<code data-x="coop-same-origin-allow-popups">same-origin-allow-popups</code>" or
+     "<code data-x="coop-noopener-allow-popups">noopener-allow-popups</code>"; and</p></li>
 
      <li><p><var>responseCOOPValue</var> is "<code
      data-x="coop-unsafe-none">unsafe-none</code>",</p></li>
@@ -87001,6 +87046,34 @@ dictionary <dfn dictionary>DragEventInit</dfn> : <span>MouseEventInit</span> {
     <p>then return false.</p>
    </li>
 
+   <li><p>If the result of <span data-x="matching-coop">matching</span>
+   <var>activeDocumentCOOPValue</var>, <var>activeDocumentNavigationOrigin</var>,
+   <var>responseCOOPValue</var>, and <var>responseOrigin</var> is true, then return false.</p></li>
+
+   <li><p>Return true.</p>
+  </ol>
+
+  <p>To <dfn data-x="check-browsing-context-group-switch-coop-value">check if COOP values require a
+  browsing context group switch</dfn>, given a boolean <var>isInitialAboutBlank</var>, two <span
+  data-x="origin">origins</span> <var>responseOrigin</var> and
+  <var>activeDocumentNavigationOrigin</var>, and two <span data-x="coop-struct-value">opener policy
+  values</span> <var>responseCOOPValue</var> and <var>activeDocumentCOOPValue</var>:</p>
+
+  <ol>
+   <li><p>If <var>isInitialAboutBlank</var> is true, then return the result of <span
+   data-x="check-browsing-context-group-switch-coop-value-popup">checking if popup COOP values
+   requires a browsing context group switch</span> with <var>responseOrigin</var>,
+   <var>activeDocumentNavigationOrigin</var>, <var>responseCOOPValue</var>, and
+   <var>activeDocumentCOOPValue</var>.</p></li>
+
+   <li>
+    <p class="note">Here we are dealing with a non-popup navigation.</p>
+
+    <p>If the result of <span data-x="matching-coop">matching</span>
+    <var>activeDocumentCOOPValue</var>, <var>activeDocumentNavigationOrigin</var>,
+    <var>responseCOOPValue</var>, and <var>responseOrigin</var> is true, then return false.</p>
+   </li>
+
    <li><p>Return true.</p>
   </ol>
 
@@ -143606,6 +143679,9 @@ INSERT INTERFACES HERE
    <dt id="refsFETCH">[FETCH]</dt>
    <dd><cite><a href="https://fetch.spec.whatwg.org/">Fetch</a></cite>, A. van Kesteren. WHATWG.</dd>
 
+   <dt id="refsFETCHMETADATA">[FETCH-METADATA]</dt>
+   <dd><cite><a href="https://w3c.github.io/webappsec-fetch-metadata/">Fetch Metadata Request Headers</a></cite>, M.West. W3C.</dd>
+
    <dt id="refsFILEAPI">[FILEAPI]</dt>
    <dd><cite><a href="https://w3c.github.io/FileAPI/">File API</a></cite>, A. Ranganathan. W3C.</dd>
 
