cross-origin isolation

1. Use origin instead of site as agent cluster key for cross-origin isolated agent clusters. document.domain mutation is no-op for agents in cross-origin isolated agent clusters. 2. Introduce cross-origin isolated permission (https://w3c.github.io/webappsec-feature-policy/). 3. Introduce self.crossOriginIsolated returning whether the surrounding agent cluster is cross-origin isolated and the environment has the cross-origin isolated permission.

1. allows origin isolation (instead of site isolation) for cross-origin isolated agent clusters. This is an incremental step of a long-term security improvement (see https://docs.google.com/document/d/1dnUjxfGWnvhQEIyCZb0F2LmCZ9gio6ogu2rhMGqi6gY/edit#heading=h.thm6zozaav55). 2. allows web developers to control whether child frames can use powerful APIs such as SharedArrayBuffer and the memory measurement API. 3. allows web developers to see if they can use the powerful APIs.

Documentation

Specification

Editor's draft

Status in Chromium

Blink>SecurityFeature


In development (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • Public support
  • No public signals
  • No public signals
  • No signals

Owner

Last updated on 2020-06-16