Opener Protections

[arichiv]

Request for Mozilla Position on an Emerging Web Specification

• Specification title: Opener Storage Partitioning
• Specification or proposal URL (if available): https://arichiv.github.io/opener-storage-partitioning/
• Proposal author(s) (@-mention GitHub accounts): @arichiv @johannhof
• Bug Tracker URL (optional): https://crbug.com/1159586
• WebKit Position: Opener Protections WebKit/standards-positions#277
• Tag Position: Early Design Review: Opener Protections w3ctag/design-reviews#916

Other information

Our goal is to maintain cross-page communication where important to web function while striking a better balance with user-privacy.

This will be done in two steps. First, whenever a frame navigates cross-origin any other windows with a window.opener handle pointing to the navigating frame will have that handle cleared. Second, either (a) any frames with a valid window.opener (or window.top.opener) handle at the time of navigation will have transient storage via a StorageKey nonce instead of access to standard first- and third-party StorageKeys or (b) the opener will be severed by default until user interaction or an API call restores it.

The first proposal should be less disruptive than either of the second, but metrics will need to be gathered on both. Once implemented, these proposals together prevent any synchronous or asynchronous communication between a first- and third-party storage bucket for the same origin. Instead, communication between two buckets for the same origin will only be possible if one of the buckets is transient. This mitigates the threats we are concerned with.