During Edge's extended origin trial of this API, we received feedback from a site owner that the requirements for COOP and COEP make the feature useless to that site. This is the case for any website which includes third-party content and can't force that third-party content into compliance with COOP and COEP. We know that requiring "cross-origin isolated" is sufficient for preventing additional information leakage from timing attacks, but is it necessary? What other strategies would work? A few ideas:
As mentioned in the discussion on #1, "FB is amongst a very small set of sites on the web that is effectively exclusively powered by 1P content, which makes exposing traces simple to reason about." I'm concerned that the requirement for COOP and COEP over-fits this feature to Facebook's use-case rather than providing a general-purpose tool for the rest of the web.
If ideas like these were already discussed and discarded prior to adding the cross-origin isolation requirement, could you please point me toward meeting notes or other documentation supporting that decision? I didn't find anything in GitHub issues, but I know that discussion takes place across various sites and in-person meetings so I may have not looked in the right place.
Thanks!
During Edge's extended origin trial of this API, we received feedback from a site owner that the requirements for COOP and COEP make the feature useless to that site. This is the case for any website which includes third-party content and can't force that third-party content into compliance with COOP and COEP. We know that requiring "cross-origin isolated" is sufficient for preventing additional information leakage from timing attacks, but is it necessary? What other strategies would work? A few ideas:
As mentioned in the discussion on #1, "FB is amongst a very small set of sites on the web that is effectively exclusively powered by 1P content, which makes exposing traces simple to reason about." I'm concerned that the requirement for COOP and COEP over-fits this feature to Facebook's use-case rather than providing a general-purpose tool for the rest of the web.
If ideas like these were already discussed and discarded prior to adding the cross-origin isolation requirement, could you please point me toward meeting notes or other documentation supporting that decision? I didn't find anything in GitHub issues, but I know that discussion takes place across various sites and in-person meetings so I may have not looked in the right place.
Thanks!