From 99a9f5c4b80e71d92e6b4825e8b312a71befa34e Mon Sep 17 00:00:00 2001
From: Yoav Weiss Cross-Origin-Embedder-Policy
` header whose value is compatible with
cross-origin isolation together.
omit
"This forces the creation of a new top-level browsing context for the + document, regardless of its predecessor.
If A is "unsafe-none
" or B
is "unsafe-none
", then return false.
If A is "omit
" or B
+ is "omit
", then return false.
If A is B and originA is same origin with originB, then return true.
Let currentDocument be currentNavigable's active document.
If currentDocument's cross-origin opener
- policy's value is "same-origin
" or "same-origin-plus-COEP
", and
+
Let coop value be the currentDocument's cross-origin opener policy's value.
If coop value is "omit
" or if
currentDocument's origin is not
same origin with currentDocument's relevant settings
- object's top-level origin, then:
same-origin
" or "same-origin-plus-COEP
", then:
Set noopener to true.
omit
"nooopener-allow-popups
"This forces the creation of a new top-level browsing context for the document, regardless of its predecessor.
To match opener policy values, given an opener policy - value A, an origin originA, an opener policy - value B, and an origin originB:
+ value document COOP, an origin document origin, an + opener policy value response COOP, and an origin + response origin:If A is "unsafe-none
" and B
- is "unsafe-none
", then return true.
If document COOP is "unsafe-none
" and
+ response COOP is "unsafe-none
", then return
+ true.
If A is "unsafe-none
" or B
- is "unsafe-none
", then return false.
If document COOP is "unsafe-none
" or
+ response COOP is "unsafe-none
", then return
+ false.
If A is "omit
" or B
- is "omit
", then return false.
If response COOP is "noopener-allow-popups
", then return false.
If A is B and originA is same origin with - originB, then return true.
If document COOP is response COOP and document origin is + same origin with response origin, then return true.
Return false.
Let currentDocument be currentNavigable's active document.
Let coop value be the currentDocument's cross-origin opener policy's value.
If coop value is "omit
" or if
+
If currentDocument's cross-origin opener
+ policy's value is "same-origin
" or "same-origin-plus-COEP
", and
currentDocument's origin is not
same origin with currentDocument's relevant settings
- object's top-level origin, and coop value is
- "same-origin
" or "same-origin-plus-COEP
", then:
Set noopener to true.
same-origin-allow-popups
".If parsedItem[0] is "noopener-allow-popups
", then set
+ policy's value to "noopener-allow-popups
".
If parsedItem[1][" If the result of matching
activeDocumentCOOPValue, activeDocumentNavigationOrigin,
- responseCOOPValue, and responseOrigin is true, return false.report-to
"] exists and it is a string, then set policy's reporting endpoint to
From 443828bf0a57f2c31ba0008a77ea5d28ae2b55ea Mon Sep 17 00:00:00 2001
From: Yoav Weiss
If activeDocumentCOOPValue is "noopener-allow-popups
" and
+ responseCOOPValue is "same-origin-allow-popups
" or "unsafe-none
", then return false.
If all of the following are true:
From 601aed2b352186ce061e350a588aa2f747c921d4 Mon Sep 17 00:00:00 2001 From: Yoav Weissnooopener-allow-popups
"This forces the creation of a new top-level browsing context for the - document, regardless of its predecessor.
This forces the creation of a new top-level browsing context for the + document, regardless of its predecessor.
+ +While including a nooopener-allow-popups
value severs the opener
+ relationship between the document on which it is applied and its opener, it does not create
+ a robust security boundary between those same-origin documents.
Other risks from same-origin applications include:
+X-Frame-Options
or CSP
+ frame-ancestors
.httponly
.postMessage
or BroadcastChannel
messaging that exposes
+ sensitive information.This forces the creation of a new top-level browsing context for the document, regardless of its predecessor.
-While including a nooopener-allow-popups
value severs the opener
relationship between the document on which it is applied and its opener, it does not create
@@ -86817,7 +86817,7 @@ dictionary DragEventInit : MouseEventInit {
sensitive information.
Developers using nooopener-allow-popups
+ need to make sure that their sensitive applications don't rely on client-side features
+ accessible to other same-origin documents, e.g. localStorage and other client-side storage APIs,
+ BroadcastChannel and related same-origin communication mechanisms. They also need to make sure
+ that their server-side endpoints don't return sensitive data to non-navigation requests, whose
+ response content is accessible to same-origin documents.
nooopener-allow-popups
"This forces the creation of a new top-level browsing context for the - document, regardless of its predecessor.
+This forces the creation of a new top-level browsing context for the document, + regardless of its predecessor.
While including a nooopener-allow-popups
value severs the opener
- relationship between the document on which it is applied and its opener, it does not create
- a robust security boundary between those same-origin documents.
Other risks from same-origin applications include:
X-Frame-Options
or CSP
- frame-ancestors
.httponly
.postMessage
or BroadcastChannel
messaging that exposes
- sensitive information.Same-origin requests fetching the document's content — could be mitigated through + Fetch Metadata filtering.
Same-origin framing - could be mitigated through X-Frame-Options
or CSP
+ frame-ancestors
.
JavaScript accessible cookies - can be mitigated by ensuring all cookies are httponly
.
localStorage access to sensitive data.
Service worker installation.
postMessage
or BroadcastChannel
messaging that
+ exposes sensitive information.
Autofill which may not require user interaction for same-origin documents.
Developers using nooopener-allow-popups
need to make sure that their sensitive applications don't rely on client-side features
- accessible to other same-origin documents, e.g. localStorage and other client-side storage APIs,
- BroadcastChannel and related same-origin communication mechanisms. They also need to make sure
- that their server-side endpoints don't return sensitive data to non-navigation requests, whose
- response content is accessible to same-origin documents.
same-origin-allow-popups
" or "unsafe-none
", then return false. If all of the following are true:
From d4f85522a746f6c98a3b65134974e0979438abf5 Mon Sep 17 00:00:00 2001 From: Yoav WeisslocalStorage access to sensitive data.
Service worker installation.
Cache API manipulation or access to sensitive data.
postMessage
or BroadcastChannel
messaging that
exposes sensitive information.
Autofill which may not require user interaction for same-origin documents.