From 99a9f5c4b80e71d92e6b4825e8b312a71befa34e Mon Sep 17 00:00:00 2001 From: Yoav Weiss Date: Wed, 29 May 2024 12:31:57 +0200 Subject: [PATCH 1/9] Add an `omit` value to Cross-Origin-Opener-Policy --- source | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/source b/source index ebc2fae096f..a6f39338208 100644 --- a/source +++ b/source @@ -86791,6 +86791,10 @@ dictionary DragEventInit : MouseEventInit { `Cross-Origin-Embedder-Policy` header whose value is compatible with cross-origin isolation together.

+ +
"omit"
+

This forces the creation of a new top-level browsing context for the + document, regardless of its predecessor.

@@ -86824,6 +86828,9 @@ dictionary DragEventInit : MouseEventInit {

  • If A is "unsafe-none" or B is "unsafe-none", then return false.

    • +

  • If A is "omit" or B + is "omit", then return false.

    • +

  • If A is B and originA is same origin with originB, then return true.

    • @@ -97038,14 +97045,16 @@ interface NotRestoredReasons {

  • Let currentDocument be currentNavigable's active document.

    • -
  • -

    If currentDocument's cross-origin opener - policy's value is "same-origin" or "same-origin-plus-COEP", and +

  • Let coop value be the currentDocument's cross-origin opener policy's value.

    • + +

  • If coop value is "omit" or if currentDocument's origin is not same origin with currentDocument's relevant settings - object's top-level origin, then:

    + object's top-level origin, and coop value is + "same-origin" or "same-origin-plus-COEP", then:

    1. Set noopener to true.

      2. From b0a00bf5e530958e3db9f9d85dbbeb05b13fb8de Mon Sep 17 00:00:00 2001 From: Yoav Weiss Date: Wed, 5 Jun 2024 09:29:17 +0200 Subject: [PATCH 2/9] Change to noopener --- source | 39 ++++++++++++++++++++------------------- 1 file changed, 20 insertions(+), 19 deletions(-) diff --git a/source b/source index a6f39338208..c83c448af11 100644 --- a/source +++ b/source @@ -86792,7 +86792,7 @@ dictionary DragEventInit : MouseEventInit { cross-origin isolation together.

      -
      "omit"
      +
      "nooopener-allow-popups"

      This forces the creation of a new top-level browsing context for the document, regardless of its predecessor.

      @@ -86818,21 +86818,24 @@ dictionary DragEventInit : MouseEventInit {

      To match opener policy values, given an opener policy - value A, an origin originA, an opener policy - value B, and an origin originB:

      + value document COOP, an origin document origin, an + opener policy value response COOP, and an origin + response origin:

        -

      1. If A is "unsafe-none" and B - is "unsafe-none", then return true.

        2. +

      2. If document COOP is "unsafe-none" and + response COOP is "unsafe-none", then return + true.

        3. -

      3. If A is "unsafe-none" or B - is "unsafe-none", then return false.

        4. +

      4. If document COOP is "unsafe-none" or + response COOP is "unsafe-none", then return + false.

        5. -

      5. If A is "omit" or B - is "omit", then return false.

        6. +

      6. If response COOP is "noopener-allow-popups", then return false.

        7. -

      7. If A is B and originA is same origin with - originB, then return true.

        8. +

      8. If document COOP is response COOP and document origin is + same origin with response origin, then return true.

      9. Return false.

      @@ -97045,16 +97048,14 @@ interface NotRestoredReasons {

    2. Let currentDocument be currentNavigable's active document.

      3. -

    3. Let coop value be the currentDocument's cross-origin opener policy's value.

      4. - -

    4. If coop value is "omit" or if +

    5. +

      If currentDocument's cross-origin opener + policy's value is "same-origin" or "same-origin-plus-COEP", and currentDocument's origin is not same origin with currentDocument's relevant settings - object's top-level origin, and coop value is - "same-origin" or "same-origin-plus-COEP", then:

      + object's top-level origin, then:

      1. Set noopener to true.

        2. From bd2de0fd7a3378ad6f52d26ff6512d2fbd7640e9 Mon Sep 17 00:00:00 2001 From: Yoav Weiss Date: Mon, 10 Jun 2024 17:58:36 +0200 Subject: [PATCH 3/9] Parse the noopener value --- source | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/source b/source index c83c448af11..7d1b65bea2c 100644 --- a/source +++ b/source @@ -86909,6 +86909,11 @@ dictionary DragEventInit : MouseEventInit { policy's value to "same-origin-allow-popups".

        +

      2. If parsedItem[0] is "noopener-allow-popups", then set + policy's value to "noopener-allow-popups".

        3. +

      3. If parsedItem[1]["report-to"] exists and it is a string, then set policy's reporting endpoint to From 443828bf0a57f2c31ba0008a77ea5d28ae2b55ea Mon Sep 17 00:00:00 2001 From: Yoav Weiss Date: Tue, 2 Jul 2024 17:29:41 +0200 Subject: [PATCH 4/9] Fix up algorithm --- source | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/source b/source index 7d1b65bea2c..1e4b6a2dbc4 100644 --- a/source +++ b/source @@ -86986,7 +86986,13 @@ dictionary DragEventInit : MouseEventInit {

        1. If the result of matching activeDocumentCOOPValue, activeDocumentNavigationOrigin, - responseCOOPValue, and responseOrigin is true, return false.

          2. + responseCOOPValue, and responseOrigin is true, then return false.

          + +

        2. If activeDocumentCOOPValue is "noopener-allow-popups" and + responseCOOPValue is "same-origin-allow-popups" or "unsafe-none", then return false.

        3. If all of the following are true:

          From 601aed2b352186ce061e350a588aa2f747c921d4 Mon Sep 17 00:00:00 2001 From: Yoav Weiss Date: Wed, 10 Jul 2024 13:11:04 +0200 Subject: [PATCH 5/9] Add a note regarding further leaks between same-origin documents --- source | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/source b/source index 1e4b6a2dbc4..5a7a23e4f24 100644 --- a/source +++ b/source @@ -86793,8 +86793,32 @@ dictionary DragEventInit : MouseEventInit {
          "nooopener-allow-popups"
          -

          This forces the creation of a new top-level browsing context for the - document, regardless of its predecessor.

          +
          +

          This forces the creation of a new top-level browsing context for the + document, regardless of its predecessor.

          + +
          +

          While including a nooopener-allow-popups value severs the opener + relationship between the document on which it is applied and its opener, it does not create + a robust security boundary between those same-origin documents.

          + +

          Other risks from same-origin applications include:

          +
            +
          • Same-origin requests fetching the document's content - could be mitigated through Fetch + Metadata filtering.
            • +
          • Same-origin framing - could be mitigated through X-Frame-Options or CSP + frame-ancestors.
            • +
          • Javascript accessible cookies - can be mitigated by ensuring all cookies are + httponly.
            • +
          • localStorage access to sensitive data.
            • +
          • Service worker installation.
            • +
          • postMessage or BroadcastChannel messaging that exposes + sensitive information.
            • +
          • Autofill which may not require user interaction for same-origin documents.
            • +
          +
          +
          From dffb2ca6237de8554e9c161ec099b1f867c5fe8b Mon Sep 17 00:00:00 2001 From: Yoav Weiss Date: Wed, 10 Jul 2024 13:48:03 +0200 Subject: [PATCH 6/9] Turn dl to div --- source | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/source b/source index 5a7a23e4f24..120d63c7021 100644 --- a/source +++ b/source @@ -86797,7 +86797,7 @@ dictionary DragEventInit : MouseEventInit {

          This forces the creation of a new top-level browsing context for the document, regardless of its predecessor.

          -
          +

          While including a nooopener-allow-popups value severs the opener relationship between the document on which it is applied and its opener, it does not create @@ -86817,7 +86817,7 @@ dictionary DragEventInit : MouseEventInit { sensitive information.

        4. Autofill which may not require user interaction for same-origin documents.
          5. - +
    • From 28caad5f427279ee31d1a3c59a9492d05d7ce83f Mon Sep 17 00:00:00 2001 From: Yoav Weiss Date: Fri, 9 Aug 2024 11:14:54 +0200 Subject: [PATCH 7/9] Tighten the warning against other leaks --- source | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/source b/source index 120d63c7021..bb739d2b6dd 100644 --- a/source +++ b/source @@ -86817,6 +86817,12 @@ dictionary DragEventInit : MouseEventInit { sensitive information.
  • Autofill which may not require user interaction for same-origin documents.
    • +

    Developers using nooopener-allow-popups + need to make sure that their sensitive applications don't rely on client-side features + accessible to other same-origin documents, e.g. localStorage and other client-side storage APIs, + BroadcastChannel and related same-origin communication mechanisms. They also need to make sure + that their server-side endpoints don't return sensitive data to non-navigation requests, whose + response content is accessible to same-origin documents.

    From 240b599a38486b23f9f91fc0399c937e8ec9f515 Mon Sep 17 00:00:00 2001 From: Yoav Weiss Date: Fri, 13 Sep 2024 21:34:10 +0200 Subject: [PATCH 8/9] Review nits --- source | 40 ++++++++++++++++++++-------------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/source b/source index bb739d2b6dd..5f47d1b894a 100644 --- a/source +++ b/source @@ -86794,35 +86794,35 @@ dictionary DragEventInit : MouseEventInit {
    "nooopener-allow-popups"
    -

    This forces the creation of a new top-level browsing context for the - document, regardless of its predecessor.

    +

    This forces the creation of a new top-level browsing context for the document, + regardless of its predecessor.

    While including a nooopener-allow-popups value severs the opener - relationship between the document on which it is applied and its opener, it does not create - a robust security boundary between those same-origin documents.

    + relationship between the document on which it is applied and its opener, it does not create a + robust security boundary between those same-origin documents.

    Other risks from same-origin applications include:

      -
    • Same-origin requests fetching the document's content - could be mitigated through Fetch - Metadata filtering.
      • -
    • Same-origin framing - could be mitigated through X-Frame-Options or CSP - frame-ancestors.
      • -
    • Javascript accessible cookies - can be mitigated by ensuring all cookies are - httponly.
      • -
    • localStorage access to sensitive data.
      • -
    • Service worker installation.
      • -
    • postMessage or BroadcastChannel messaging that exposes - sensitive information.
      • -
    • Autofill which may not require user interaction for same-origin documents.
      • +

    • Same-origin requests fetching the document's content — could be mitigated through + Fetch Metadata filtering.

      • +

    • Same-origin framing - could be mitigated through X-Frame-Options or CSP + frame-ancestors.

      • +

    • JavaScript accessible cookies - can be mitigated by ensuring all cookies are httponly.

      • +

    • localStorage access to sensitive data.

      • +

    • Service worker installation.

      • +

    • postMessage or BroadcastChannel messaging that + exposes sensitive information.

      • +

    • Autofill which may not require user interaction for same-origin documents.

    Developers using nooopener-allow-popups need to make sure that their sensitive applications don't rely on client-side features - accessible to other same-origin documents, e.g. localStorage and other client-side storage APIs, - BroadcastChannel and related same-origin communication mechanisms. They also need to make sure - that their server-side endpoints don't return sensitive data to non-navigation requests, whose - response content is accessible to same-origin documents.

    + accessible to other same-origin documents, e.g., localStorage and other client-side storage + APIs, BroadcastChannel and related same-origin communication mechanisms. They also need to make + sure that their server-side endpoints don't return sensitive data to non-navigation requests, + whose response content is accessible to same-origin documents.

    @@ -87022,7 +87022,7 @@ dictionary DragEventInit : MouseEventInit { data-x="coop-noopener-allow-popups">noopener-allow-popups" and responseCOOPValue is "same-origin-allow-popups" or "unsafe-none", then return false.

    + data-x="coop-unsafe-none">unsafe-none", then return false.

  • If all of the following are true:

    From d4f85522a746f6c98a3b65134974e0979438abf5 Mon Sep 17 00:00:00 2001 From: Yoav Weiss Date: Tue, 17 Sep 2024 11:12:43 +0200 Subject: [PATCH 9/9] Cache API note --- source | 1 + 1 file changed, 1 insertion(+) diff --git a/source b/source index 5f47d1b894a..c874621f78e 100644 --- a/source +++ b/source @@ -86813,6 +86813,7 @@ dictionary DragEventInit : MouseEventInit { data-x="">httponly.

  • localStorage access to sensitive data.

  • Service worker installation.

    • +

  • Cache API manipulation or access to sensitive data.

  • postMessage or BroadcastChannel messaging that exposes sensitive information.

  • Autofill which may not require user interaction for same-origin documents.