Early Design Review: Opener Protections

[arichiv]

こんにちは TAG-さん!

I'm requesting a TAG review of Opener Protections.

Our goal is to maintain cross-page communication where important to web function while striking a better balance with user-privacy.

This will be done in two steps. First, whenever a frame navigates cross-origin any other windows with a window.opener handle pointing to the navigating frame will have that handle cleared. Second, either (a) any frames with a valid window.opener (or window.top.opener) handle at the time of navigation will have transient storage via a StorageKey nonce instead of access to standard first- and third-party StorageKeys or (b) the opener will be severed by default until user interaction or an API call restores it.

The first proposal should be less disruptive than either of the second, but metrics will need to be gathered on both. Once implemented, these proposals together prevent any synchronous or asynchronous communication between a first- and third-party storage bucket for the same origin. Instead, communication between two buckets for the same origin will only be possible if one of the buckets is transient. This mitigates the threats we are concerned with.

• Explainer¹ (minimally containing user needs and example code): https://arichiv.github.io/opener-storage-partitioning/
• Security and Privacy self-review²: See below
• GitHub repo (if you prefer feedback filed there): https://github.com/arichiv/opener-storage-partitioning/issues
• Primary contacts (and their relationship to the specification):
  • Ari Chivukula, Google Chrome
  • Johann Hofmann, Google Chrome
• Organization/project driving the design: Google Chrome
• Key pieces of existing multi-stakeholder review or discussion of this specification:
  • WebKit Position: Opener Protections WebKit/standards-positions#277
  • Mozilla Position: Opener Protections mozilla/standards-positions#926
• External status/issue trackers for this feature (publicly visible, e.g. Chrome Status): https://crbug.com/1159586

Further details:

• I have reviewed the TAG's Web Platform Design Principles
• The group where the incubation/design work on this is being done (or is intended to be done in the future): Privacy CG
• The group where standardization of this work is intended to be done ("unknown" if not known): Privacy CG
• This work is being funded by: Google Chrome

We'd prefer the TAG provide feedback as (please delete all but the desired option):

💬 leave review feedback as a comment in this issue and @-notify @arichiv, @johannhof

---

1. What information might this feature expose to Web sites or other parties, and for what purposes is that exposure necessary?
   • This feature might expose whether or not user interaction has occurred to enable opener access between windows.
2. Do features in your specification expose the minimum amount of information necessary to enable their intended uses?
   • Yes, we should be reducing the amount of communication between windows possible overall.
3. How do the features in your specification deal with personal information, personally-identifiable information (PII), or information derived from them?
   • This feature does not differentiate between the type of information communicated.
4. How do the features in your specification deal with sensitive information?
   • This feature does not differentiate between the type of information communicated.
5. Do the features in your specification introduce new state for an origin that persists across browsing sessions?
   • No.
6. Do the features in your specification expose information about the underlying platform to origins?
   • No.
7. Does this specification allow an origin to send data to the underlying platform?
   • No.
8. Do features in this specification enable access to device sensors?
   • No.
9. Do features in this specification enable new script execution/loading mechanisms?
   • No.
10. Do features in this specification allow an origin to access other devices?
    • No.
11. Do features in this specification allow an origin some measure of control over a user agent’s native UI?
    • No.
12. What temporary identifiers do the features in this specification create or expose to the web?
    • It would be possible to detect if permission to communicate cross-origin to another window had been granted.
13. How does this specification distinguish between behavior in first-party and third-party contexts?
    • The heuristic for communication may differ in first and third party contexts.
14. How do the features in this specification work in the context of a browser’s Private Browsing or Incognito mode?
    • This feature does not work differently in such contexts.
15. Does this specification have both "Security Considerations" and "Privacy Considerations" sections?
    • Yes
16. Do features in your specification enable origins to downgrade default security protections?
    • This feature does not downgrade default protections.
17. How does your feature handle non-"fully active" documents?
    • This feature cannot be used until the document is active.
18. What should this questionnaire have asked?
    • N/A

[hadleybeeman]

Hi @arichiv @johannhof. We are looking at this to triage it in today's W3C TAG meeting.

We appreciate the careful diagrams in the explainer, since they help us understand WHAT you're focusing on, but can you help us with the WHY? Specifically, when would a user encounter this, and how would it change their experience on the web? Something that starts like "a user is visiting xyz type of site and trying to do abc type of action and this can put them at risk to pdq type of attack..."

[arichiv]

A user is visiting a shopping site and trying to check-out. Before cookie/storage partitioning, trackers could detect a conversion in an iframe but now that's not possible. Now, they have an incentive to open a pop-up (with access to unpartitioned storage and cookies) and have the shopping site pass that pop-up (loading some tracking website) information about the conversion without needing user permission. @johannhof if I missed something

[hadleybeeman]

Thanks, @arichiv. That's helpful indeed — we'd be grateful if you would add that to the explainer.

[torgo]

@arichiv It would be really helpful to have a bit more information in the examples - that you've laid out - so we can understand what risk is being introduced / mitigated against at each step? I think this info is evident to you, but not evident to the reader. Could you build on the example that you provided in the comment above and extend that a bit?

[arichiv]

Can do! I'll try to have these edits in next week.

[torgo]

Hi @arichiv thanks for updating those examples - that's much appreciated. You noted in your explainer that there are 2 proposals. Do you have any further info at this point about which proposal will work better? Have you done any testing or do you have any data you can share?

[arichiv]

Unfortunately not yet, I hope to have that in Q2 this year.

[torgo]

Hi @arichiv thanks for the response. We're trying to figure out how we can best be helpful here. Would it make sense to put this review on hold until you have further information about which approach you're planning to take? Is there further guidance that you'd like from the TAG at this point?

[arichiv]

Putting it on hold for now is reasonable, I think a revised approach might be forthcoming soon.

[torgo]

Hi @arichiv just pinging this. Should we keep this issue open or are you likely to file a new review request for whatever the revised approach is? Thanks!

[arichiv]

This can be closed out, a somewhat related initial step is at: #956