├── .gitignore
├── w3c.json
├── README.md
├── LICENSE.md
├── CODE_OF_CONDUCT.md
├── .github
    └── workflows
    │   └── build-validate-publish.yml
├── CONTRIBUTING.md
├── index.bs
└── fpwd.html


/.gitignore:
--------------------------------------------------------------------------------
1 | index.html
2 | 


--------------------------------------------------------------------------------
/w3c.json:
--------------------------------------------------------------------------------
1 |  {
2 |     "group":      [49309]
3 | ,   "contacts":   ["wseltzer","weiler"]
4 | ,   "repo-type":  "note"
5 | }
6 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Post-Spectre Web Development
2 | 
3 | Sketching a threat model and concrete examples of mitigation.
4 | 
5 | <https://w3c.github.io/webappsec-post-spectre-webdev/>
6 | 


--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
1 | All documents in this Repository are licensed by contributors
2 | under the 
3 | [W3C Software and Document License](https://www.w3.org/Consortium/Legal/copyright-software).
4 | 
5 | 


--------------------------------------------------------------------------------
/CODE_OF_CONDUCT.md:
--------------------------------------------------------------------------------
1 | # Code of Conduct
2 | 
3 | All documentation, code and communication under this repository are covered by the [W3C Code of Ethics and Professional Conduct](https://www.w3.org/Consortium/cepc/).
4 | 


--------------------------------------------------------------------------------
/.github/workflows/build-validate-publish.yml:
--------------------------------------------------------------------------------
 1 | name: CI
 2 | on:
 3 |   pull_request: {}
 4 |   push:
 5 |     branches: [main]
 6 | 
 7 | jobs:
 8 |   main:
 9 |     name: Build, Validate, and Publish
10 |     runs-on: ubuntu-20.04
11 |     steps:
12 |       - uses: actions/checkout@v2
13 |       - uses: w3c/spec-prod@v2
14 |         with:
15 |           GH_PAGES_BRANCH: gh-pages
16 |           BUILD_FAIL_ON: nothing
17 |           VALIDATE_LINKS: false
18 |           VALIDATE_MARKUP: true
19 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # Web Application Security Working Group
 2 | 
 3 | Contributions to this repository are intended to become part of Recommendation-track documents governed by the
 4 | [W3C Patent Policy](https://www.w3.org/Consortium/Patent-Policy-20040205/) and
 5 | [Software and Document License](https://www.w3.org/Consortium/Legal/copyright-software). To make substantive contributions to specifications, you must either participate
 6 | in the relevant W3C Working Group or make a non-member patent licensing commitment.
 7 | 
 8 | If you are not the sole contributor to a contribution (pull request), please identify all 
 9 | contributors in the pull request comment.
10 | 
11 | To add a contributor (other than yourself, that's automatic), mark them one per line as follows:
12 | 
13 | ```
14 | +@github_username
15 | ```
16 | 
17 | If you added a contributor by mistake, you can remove them in a comment with:
18 | 
19 | ```
20 | -@github_username
21 | ```
22 | 
23 | If you are making a pull request on behalf of someone else but you had no part in designing the 
24 | feature, you can remove yourself with the above syntax.
25 | 


--------------------------------------------------------------------------------
/index.bs:
--------------------------------------------------------------------------------
  1 | <pre class='metadata'>
  2 | Title: Post-Spectre Web Development
  3 | Shortname: post-spectre-webdev
  4 | Level: none
  5 | Status: ED
  6 | Group: WebAppSec
  7 | ED: https://w3c.github.io/webappsec-post-spectre-webdev/
  8 | TR: https://www.w3.org/TR/post-spectre-webdev/
  9 | Previous Version: from biblio
 10 | Editor: Mike West, Google, mkwst@google.com, w3cid 56384
 11 | Abstract:
 12 |     Post-Spectre, we need to adopt some new strategies for safe and secure web development. This
 13 |     document outlines a threat model we can share, and a set of mitigation recommendations.
 14 |     
 15 |     **TL;DR**: Your data must not unexpectedly enter an attacker's process.
 16 | Boilerplate: omit conformance
 17 | Markup Shorthands: css off, markdown on
 18 | </pre>
 19 | <pre class="anchors">
 20 | urlPrefix: https://html.spec.whatwg.org/; spec: HTML;
 21 |     type: dfn
 22 |         text: origin; url: multipage/origin.html#concept-origin
 23 |         text: cross-origin opener policy; url: multipage/origin.html#cross-origin-opener-policies
 24 |         text: cross-origin embedder policy; url: multipage/origin.html#coep
 25 |     type: http-header
 26 |         text: cross-origin-opener-policy; url: multipage/origin.html#cross-origin-opener-policies
 27 |         text: x-frame-options; url: multipage/browsing-the-web.html#the-x-frame-options-header
 28 | urlPrefix: https://fetch.spec.whatwg.org/; spec: FETCH; type: dfn
 29 |     text: cross-origin resource policy; url: #http-cross-origin-resource-policy
 30 |     text: cross-origin read blocking; url: #corb
 31 | urlPrefix: https://tc39.es/ecma262/; spec: ECMA262; type: interface
 32 |     text: SharedArrayBuffer; url: #sec-sharedarraybuffer-objects
 33 | urlPrefix: https://tools.ietf.org/html/rfc7231; spec: RFC7231; type: http-header
 34 |     text: Vary; url: #section-7.1.4
 35 | urlPrefix: https://fetch.spec.whatwg.org/; spec: FETCH; type: http-header
 36 |     text: Origin; url: #origin-header
 37 | </pre>
 38 | <pre class="biblio">
 39 | {
 40 |     "spectre": {
 41 |       "href": "https://ieeexplore.ieee.org/document/8835233",
 42 |       "title": "Spectre Attacks: Exploiting Speculative Execution",
 43 |       "publisher": "40th IEEE Symposium on Security and Privacy (S&P'19)",
 44 |       "date": "May 2019",
 45 |       "authors": [
 46 |         "Paul Kocher",
 47 |         "Jann Horn",
 48 |         "Anders Fogh",
 49 |         "Daniel Genkin",
 50 |         "Daniel Gruss",
 51 |         "Werner Haas",
 52 |         "Mike Hamburg",
 53 |         "Moritz Lipp",
 54 |         "Stefan Mangard",
 55 |         "Thomas Prescher",
 56 |         "Michael Schwarz",
 57 |         "Yuval Yarom"
 58 |       ]
 59 |     },
 60 |     "post-spectre-rethink": {
 61 |       "href": "https://chromium.googlesource.com/chromium/src/+/master/docs/security/side-channel-threat-model.md",
 62 |       "title": "Post-Spectre Threat Model Re-Think",
 63 |       "authors": [ "Chromium" ]
 64 |     },
 65 |     "site-isolation": {
 66 |       "href": "https://www.chromium.org/Home/chromium-security/site-isolation",
 67 |       "title": "Site Isolation",
 68 |       "authors": [ "Chromium" ]
 69 |     },
 70 |     "project-fission": {
 71 |       "href": "https://wiki.mozilla.org/Project_Fission",
 72 |       "title": "Project Fission",
 73 |       "authors": [ "Mozilla" ]
 74 |     },
 75 |     "resource-isolation-policy": {
 76 |       "href": "https://xsleaks.dev/docs/defenses/isolation-policies/resource-isolation/",
 77 |       "title": "Resource Isolation Policy",
 78 |       "authors": [ "XSLeaks Wiki" ]
 79 |     },
 80 |     "cross-origin-isolation-guide": {
 81 |       "href": "https://web.dev/cross-origin-isolation-guide/",
 82 |       "title": "A guide to enable cross-origin isolation",
 83 |       "authors": [ "Eiji Kitamura" ]
 84 |     },
 85 |     "coop-coep": {
 86 |       "href": "https://web.dev/coop-coep/",
 87 |       "title": "Making your website 'cross-origin isolated' using COOP and COEP",
 88 |       "authors": [ "Eiji Kitamura" ]
 89 |     },
 90 |     "coop-coep-explained": {
 91 |       "href": "https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k/edit",
 92 |       "title": "COOP and COEP Explained",
 93 |       "authors": [ "Artur Janc", "Charlie Reis", "Anne van Kesteren" ],
 94 |       "date": "2020-01-03"
 95 |     },
 96 |     "application-principals": {
 97 |       "href": "https://noncombatant.org/application-principals/",
 98 |       "title": "Isolating Application-Defined Principals",
 99 |       "authors": [ "Chris Palmer" ],
100 |       "date": "2018-06-19"
101 |     },
102 |     "long-term-mitigations": {
103 |       "href": "https://docs.google.com/document/d/1dnUjxfGWnvhQEIyCZb0F2LmCZ9gio6ogu2rhMGqi6gY/edit",
104 |       "title": "Long-Term Web Browser Mitigations for Spectre",
105 |       "authors": [ "Charlie Reis" ],
106 |       "date": "2019-03-04"
107 |     },
108 |     "spectre-shaped-web": {
109 |       "href": "https://docs.google.com/presentation/d/1sadl7jTrBIECCanuqSrNndnDr82NGW1yyuXFT1Dc7SQ/edit#slide=id.p",
110 |       "title": "A Spectre-shaped Web",
111 |       "authors": [ "Anne van Kesteren" ],
112 |       "date": "2019-04-16"
113 |     },
114 |     "spilling-the-beans": {
115 |       "href": "https://www.arturjanc.com/cross-origin-infoleaks.pdf",
116 |       "title": "How do we Stop Spilling The Beans Across Origins?",
117 |       "authors": [ "Artur Janc", "Mike West" ],
118 |       "date": "2018-05-16"
119 |     },
120 |     "cross-origin-embedder-policy": {
121 |       "href": "https://wicg.github.io/cross-origin-embedder-policy/",
122 |       "title": "Cross-Origin Embedder Policy",
123 |       "authors": [ "Mike West" ],
124 |       "date": "2020-09-29"
125 |     },
126 |     "cross-origin-opener-policy-explainer": {
127 |       "href": "https://docs.google.com/document/d/1Ey3MXcLzwR1T7aarkpBXEwP7jKdd2NvQdgYvF8_8scI/edit",
128 |       "title": "Cross-Origin-Opener-Policy Explainer",
129 |       "authors": [ "Charlie Reis", "Camille Lamy" ],
130 |       "date": "2020-05-24"
131 |     },
132 |     "safely-reviving-shared-memory": {
133 |       "href": "https://hacks.mozilla.org/2020/07/safely-reviving-shared-memory/",
134 |       "title": "Safely reviving shared memory",
135 |       "authors": [ "Anne van Kesteren" ],
136 |       "date": "2020-07-21"
137 |     },
138 |     "coi-threat-model": {
139 |       "href": "https://arturjanc.com/coi-threat-model.pdf",
140 |       "title": "Notes on the threat model of cross-origin isolation",
141 |       "authors": [ "Artur Janc" ],
142 |       "date": "2020-12"
143 |     },
144 |     "orb": {
145 |       "href": "https://github.com/annevk/orb",
146 |       "title": "Opaque Response Blocking (ORB, aka CORB++)",
147 |       "authors": [ "Anne van Kesteren" ]
148 |     },
149 |     "oopif": {
150 |       "href": "https://www.chromium.org/developers/design-documents/oop-iframes",
151 |       "title": "Out-of-Process iframes (OOPIFs)",
152 |       "authors": [ "Chromium" ]
153 |     },
154 |     "embedding-requires-opt-in": {
155 |       "href": "https://github.com/mikewest/embedding-requires-opt-in",
156 |       "title": "Embedding Should Require Explicit Opt-In",
157 |       "authors": [ "Mike West" ]
158 |     },
159 |     "coop-by-default": {
160 |       "href": "https://github.com/mikewest/coop-by-default",
161 |       "title": "COOP By Default",
162 |       "authors": [ "Mike West" ]
163 |     }
164 | }
165 | </pre>
166 | 
167 | Introduction {#intro}
168 | =====================
169 | 
170 | In early 2018, Spectre made it clear that a foundational security boundary the web aimed to
171 | maintain was substantially less robust than expected. [[SPECTRE]] This revelation has pushed web
172 | browsers to shift their focus from the platform-level [=origin=] boundary to an OS-level
173 | process boundary. Chromium's threat model, for instance, now asserts that "active web content …
174 | will be able to read any and all data in the address space of the process that hosts it".
175 | [[POST-SPECTRE-RETHINK]] This shift in thinking imposes a shift in development practice, both
176 | for browser vendors, and for web developers. Browsers need to align the origin boundary with the
177 | process boundary through fundamental refactoring projects (for example, [[SITE-ISOLATION]] and
178 | [[PROJECT-FISSION]]). Moreover, browsers must provide web developers with tools to mitigate risk
179 | in the short term, and should push the platform towards safe default behaviors in the long term.
180 | The bad news is that this is going to be a lot of work, much of it falling on the shoulders of
181 | web developers. The good news is that a reasonable set of mitigation primitives exists today,
182 | ready and waiting for use.
183 | 
184 | This document will summarize the threat model which the Web Application Security Working Group
185 | espouses, point to a set of mitigations which seem promising, and provide concrete recommendations
186 | for developers responsible for protecting users' data.
187 | 
188 | Threat Model {#threat-model}
189 | ----------------------------
190 | 
191 | Spectre-like side-channel attacks inexorably lead to a model in which active web content
192 | (JavaScript, WASM, probably CSS if we tried hard enough, and so on) can read any and all data which
193 | has entered the address space of the process which hosts it. While this has deep implications for
194 | user agent implementations' internal hardening strategies (stack canaries, ASLR, etc), here we'll
195 | remain focused on the core implication at the web platform level, which is both simple and profound:
196 | any data which flows into a process hosting a given origin is legible to that origin. We must design
197 | accordingly.
198 | 
199 | In order to determine the scope of data that can be assumed accessible to an attacker, we must make
200 | a few assumptions about the normally-not-web-exposed process model which the user agent implements.
201 | The following seems like a good place to start:
202 | 
203 | 1.  User agents are capable of separating the execution of a web origin's code into a process
204 |     distinct from the agent's core. This separation enables the agent itself to access local
205 |     devices, fetch resources, broker cross-process communication, and so on, in a way which remains
206 |     invisible to any process potentially hosting untrusted code.
207 | 
208 | 2.  User agents are able to make decisions about whether or not a given resource should be delivered
209 |     to a process hosting a given origin based on characteristics of both the request and the
210 |     response (headers, etc).
211 | 
212 | 3.  User agents can consistently separate top-level, cross-origin windows into distinct processes.
213 |     They cannot consistently separate same-site or same-origin windows into distinct processes given
214 |     the potential for synchronous access between the windows.
215 | 
216 | 4.  User agents cannot yet consistently separate framed origins into processes distinct from their
217 |     embedders' origin.
218 |     
219 |     Note: Though some user agents support out-of-process frames [[OOPIF]], no agent supports it
220 |     consistently across a broad range of devices and platforms. Ideally this will change over time,
221 |     as the frame boundary *must* be one we can eventually consider robust.
222 | 
223 | With this in mind, our general assumption will be that an origin gains access to any resource which
224 | it renders (including images, stylesheets, scripts, frames, etc). Likewise, embedded frames gain
225 | access to their ancestors' content.
226 | 
227 | ISSUE: [[COI-THREAT-MODEL]] spells out more implications. Bring them in here for more nuance.
228 | 
229 | TL;DR {#tldr}
230 | -------------
231 | 
232 | 1.  **Decide when (not!) to respond to requests** by examining incoming headers, paying special
233 |     attention to the <a http-header>`Origin`</a> header on the one hand, and various `Sec-Fetch-`
234 |     prefixed headers on the other, as described in [[resource-isolation-policy]].
235 | 
236 | 2.  **Restrict attackers' ability to load your data as a subresource** by setting a
237 |     [=cross-origin resource policy=] (CORP) of `same-origin` (opening up to `same-site`
238 |     or `cross-origin` only when necessary).
239 | 
240 | 3.  **Restrict attackers' ability to frame your data as a document** by opt-ing into framing
241 |     protections via `X-Frame-Options: SAMEORIGIN` or CSP's more granular [=frame-ancestors=]
242 |     directive (`frame-ancestors 'self' https://trusted.embedder`, for example).
243 | 
244 | 4.  **Restrict attackers' ability to obtain a handle to your window** by setting a
245 |     [=cross-origin opener policy=] (COOP). In the best case, you can default to a restrictive
246 |     `same-origin` value, opening up to `same-origin-allow-popups` or `unsafe-none` only if
247 |     necessary.
248 | 
249 | 5.  **Prevent MIME-type confusion attacks** and increase the robustness of passive defenses like
250 |     [=cross-origin read blocking=] (CORB) /
251 |     <a href="https://github.com/annevk/orb">opaque response blocking</a> ([[ORB]]) by setting
252 |     correct `Content-Type` headers, and globally asserting `X-Content-Type-Options: nosniff`.
253 | 
254 | ISSUE: Describe these mitigations in more depth, swiping liberally from
255 | <a href="https://docs.google.com/document/d/1JBUaX1xSOZRxBk5bRNZWgnzyJoCQC52TIRokACBSmGc/edit?resourcekey=0-cZ7da6v52enjwRSsp_tLyQ">Notes on the threat model of *cross-origin isolation*</a>,
256 | <a href="https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k/edit">Safely reviving shared memory</a>, etc.
257 | 
258 | Practical Examples {#examples}
259 | ==============================
260 | 
261 | Subresources {#subresources}
262 | ----------------------------
263 | 
264 | Resources which are intended to be loaded into documents should protect themselves from being used
265 | in unexpected ways. Before walking through strategies for specific kinds of resources, a few headers
266 | seem generally applicable:
267 | 
268 | 1.  Sites should use Fetch Metadata to make good decisions about when to serve resources, as
269 |     described in [[resource-isolation-policy]]. In order to ensure that decision sticks, servers
270 |     should explain its decision to the browser by sending a <a http-header>`Vary`</a> header
271 |     containing `Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Sec-Fetch-User`. This ensures that
272 |     the server has a chance to make different decisions for requests which will be *used*
273 |     differently.
274 | 
275 | 2.  Subresources should opt-out of MIME type sniffing by sending an
276 |     <a http-header>`X-Content-Type-Options`</a> header with a value of `nosniff`. This increases the
277 |     robustness of MIME-based checks like [=cross-origin read blocking=] (CORB) /
278 |     <a href="https://github.com/annevk/orb">opaque response blocking</a> ([[ORB]]), and mitigates
279 |     some well-known risks around type confusion for scripts.
280 | 
281 | 3.  Subresources are intended for inclusion in a given context, not as independently navigable
282 |     documents. To mitigate the risk that navigation to a subresource causes script execution or
283 |     opens an origin up to attack in some other way, servers can assert the following set of headers
284 |     which collectively make it difficult to meaningfully abuse a subresource via navigation:
285 | 
286 |     *   Using the <a http-header>`Content-Security-Policy`</a> header's to assert the
287 |         <a>`sandbox`</a> directive ensures that these resources remain inactive if navigated to
288 |         directly as a top-level document. No scripts will execute, and the resource will be pushed
289 |         into an [=opaque origin=].
290 | 
291 |         Note: Some servers deliver `Content-Disposition: attachment; filename=file.name` to obtain
292 |         a similar effect. This was valuable to mitigate vulnerabilities in Flash, but the sandbox
293 |         approach seems to more straightforwardly address the threats we care about today.
294 | 
295 |     *   Asserting the <a http-header>`Cross-Origin-Opener-Policy`</a> header with a value of
296 |         `same-origin` prevents cross-origin documents from retaining a handle to the resource's
297 |         window if it's opened in a popup.
298 | 
299 |     *   The <a http-header>`X-Frame-Options`</a> header with a value of `DENY` prevents the resource
300 |         from being framed.
301 | 
302 | Most subresources, then, should contain the following block of headers, which you'll see repeated a
303 | few times below:    
304 | 
305 | <pre highlight="http">
306 | Content-Security-Policy: sandbox
307 | Cross-Origin-Opener-Policy: same-origin
308 | Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Sec-Fetch-User
309 | X-Content-Type-Options: nosniff
310 | X-Frame-Options: DENY
311 | </pre>
312 | 
313 | With these generic protections in mind, let's sift through a few scenarios to determine what headers
314 | a server would be well-served to assert:
315 | 
316 | ### Static Subresources ### {#static-subresources}
317 | 
318 | By their nature, static resources contain the same data no matter who requests them, and therefore
319 | cannot contain interesting information that an attacker couldn't otherwise obtain. There's no risk
320 | to making these resources widely available, and value in allowing embedders to robustly debug, so
321 | something like the following response headers could be appropriate:
322 | 
323 | <pre highlight="http">
324 | <strong>Access-Control-Allow-Origin: *
325 | Cross-Origin-Resource-Policy: cross-origin
326 | Timing-Allow-Origin: *</strong>
327 | Content-Security-Policy: sandbox
328 | Cross-Origin-Opener-Policy: same-origin
329 | X-Content-Type-Options: nosniff
330 | X-Frame-Options: DENY
331 | </pre>
332 | 
333 | Note: Purely static resources always respond with the same data, no matter the request. There's
334 | therefore little benefit to sending a `Vary` header: it can be safely omitted for these responses.
335 | 
336 | CDNs are the canonical static resource distribution points, and many use the pattern above. Take
337 | a look at the following common resources' response headers for inspiration:
338 | 
339 | * <a href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.min.js">`https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.min.js`</a>
340 | * <a href="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.min.js">`https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.min.js`</a>
341 | * <a href="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js">`https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js`</a>
342 | * <a href="https://ssl.google-analytics.com/ga.js">`https://ssl.google-analytics.com/ga.js`</a>
343 | 
344 | Similarly, application-specific static resource servers are a good place to look for this practice. Consider:
345 | 
346 | * <a href="https://static.xx.fbcdn.net/rsrc.php/v3/y2/r/zVvRrO8pOtu.png">`https://static.xx.fbcdn.net/rsrc.php/v3/y2/r/zVvRrO8pOtu.png`</a>
347 | * <a href="https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg">`https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg`</a>
348 | 
349 | ### Dynamic Subresources ### {#dynamic-subresources}
350 | 
351 | Subresources that contain data personalized to a given user are juicy targets for attackers, and
352 | must be defended by ensuring that they're loaded only in ways that are appropriate for the data
353 | in question. A few cases are well worth considering:
354 | 
355 | 1.  Application-internal resources (private API endpoints, avatar images, uploaded data, etc.)
356 |     should not be available to any cross-origin requestor. These resources should be restricted to
357 |     usage as a subresource in same-origin contexts by sending a
358 |     <a http-header>`Cross-Origin-Resource-Policy`</a> header with a value of `same-origin`:
359 |     
360 |     <pre highlight="http">
361 | 	  <strong>Cross-Origin-Resource-Policy: same-origin</strong>
362 |     Content-Security-Policy: sandbox
363 |     Cross-Origin-Opener-Policy: same-origin
364 |     Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Sec-Fetch-User
365 |     X-Content-Type-Options: nosniff
366 |     X-Frame-Options: DENY
367 |     </pre>
368 | 
369 |     This header will prevent cross-origin attackers from loading the resource as a response to a
370 |     `no-cors` request.
371 | 
372 |     For example, examine the headers returned when requesting endpoints like the following:
373 |     
374 |     *   <a href="https://myaccount.google.com/_/AccountSettingsUi/browserinfo">`https://myaccount.google.com/_/AccountSettingsUi/browserinfo`</a>
375 |     *   <a href="https://twitter.com/i/api/1.1/branch/init.json">`https://twitter.com/i/api/1.1/branch/init.json`</a>
376 |     *   <a href="https://www.facebook.com/ajax/webstorage/process_keys/?state=0">`https://www.facebook.com/ajax/webstorage/process_keys/?state=0`</a>
377 | 
378 | 2.  Personalized resources intended for cross-origin use (public API endpoints, etc) should
379 |     carefully consider incoming requests' properties before responding. These endpoints can only
380 |     safely be enabled by requiring CORS, and choosing the set of origins for which a given response
381 |     can be exposed by setting the appropriate access-control headers, for example:
382 | 
383 |     <pre highlight="http">
384 |     <strong>Access-Control-Allow-Credentials: true
385 |     Access-Control-Allow-Origin: https://trusted.example
386 |     Access-Control-Allow-Methods: POST
387 |     Access-Control-Allow-Headers: ...
388 |     Access-Control-Allow-...: ...
389 |     Cross-Origin-Resource-Policy: same-origin</strong>
390 |     Content-Security-Policy: sandbox
391 |     Cross-Origin-Opener-Policy: same-origin
392 |     Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Sec-Fetch-User
393 |     X-Content-Type-Options: nosniff
394 |     X-Frame-Options: DENY
395 |     </pre>
396 | 
397 |     Note: The `Cross-Origin-Resource-Policy` header is only processed for requests that are _not_
398 |     using CORS for access control ("`no-cors` requests"). Sending
399 |     `Cross-Origin-Resource-Policy: same-origin` is therefore not harmful, and works to ensure that
400 |     `no-cors` usage isn't accidentally allowed.
401 |     
402 |     For example, examine the headers returned when requesting endpoints like the following:
403 |     
404 |     *   <a href="https://api.twitter.com/1.1/jot/client_event.json">`https://api.twitter.com/1.1/jot/client_event.json`</a>
405 |     *   <a href="https://play.google.com/log?format=json&hasfast=true">`https://play.google.com/log?format=json&hasfast=true`</a>
406 |     *   <a href="https://securepubads.g.doubleclick.net/pcs/view">`https://securepubads.g.doubleclick.net/pcs/view`</a>
407 |     *   <a href="https://c.amazon-adsystem.com/e/dtb/bid">`https://c.amazon-adsystem.com/e/dtb/bid`</a>
408 | 
409 | 3.  Personalized resources that are intended for cross-origin `no-cors` embedding, but which don't
410 |     intend to be directly legible in that context (avatar images, authenticated media, etc). These
411 |     should enable cross-origin embedding via `Cross-Origin-Resource-Policy`, but _not_ via CORS
412 |     access control headers:
413 | 
414 |     <pre highlight="http">
415 |     <strong>Cross-Origin-Resource-Policy: cross-origin</strong>
416 |     Content-Security-Policy: sandbox
417 |     Cross-Origin-Opener-Policy: same-origin
418 |     Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Sec-Fetch-User
419 |     X-Content-Type-Options: nosniff
420 |     X-Frame-Options: DENY
421 |     </pre>
422 | 
423 |     <div class="note">
424 |         Note: That this allows the resource to be used by any cross-origin document. That's
425 |         reasonable for some use cases, but requiring CORS, and opting-in a small set of origins via
426 |         appropriate access-control headers is a possible alternative for some resources. This
427 |         approach will give those contexts trivial access to the resource's bits, so the granularity
428 |         is a tradeoff. Still, considering this case to be the same as the "personalized resources
429 |         intended for cross-origin use" isn't unreasonable.
430 | 
431 |         ISSUE(whatwg/fetch#760): If we implemented more granular bindings for CORP headers (along
432 |         the lines of `Cross-Origin-Resource-Policy: https://trusted.example`), we could avoid this
433 |         tradeoff entirely.
434 |     </div>
435 | 
436 | 
437 |     For example:
438 | 
439 |     *   <a href="https://lh3.google.com/u/0/d/1JBUaX1xSOZRxBk5bRNZWgnzyJoCQC52TIRokACBSmGc=w512">`https://lh3.google.com/u/0/d/1JBUaX1xSOZRxBk5bRNZWgnzyJoCQC52TIRokACBSmGc=w512`</a>
440 | 
441 | 
442 | Documents {#documents}
443 | ----------------------
444 | 
445 | ### Fully-Isolated Documents ### {#documents-isolated}
446 | 
447 | Documents that require users to be signed-in almost certainly contain information that shouldn't be
448 | revealed to attackers. These pages should take care to isolate themselves from other origins, both
449 | by making _a priori_ decisions about whether to serve the page at all (see
450 | [[resource-isolation-policy]], for example), and by giving clients careful instructions about how
451 | the page can be used once delivered. For instance, something like the following set of response
452 | headers could be appropriate:
453 | 
454 | <pre highlight="http">
455 | Cross-Origin-Opener-Policy: same-origin
456 | Cross-Origin-Resource-Policy: same-origin
457 | Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Sec-Fetch-User
458 | X-Content-Type-Options: nosniff
459 | X-Frame-Options: SAMEORIGIN
460 | </pre>
461 | 
462 | Note: Documents which need to make use of APIs that require full cross-origin isolation (such
463 | as {{SharedArrayBuffer}}), will also need to serve a `Cross-Origin-Embedder-Policy` header, as
464 | outlined in [[coop-coep]] and [[cross-origin-isolation-guide]].
465 | 
466 | Account settings pages, admin panels, and application-specific documents are all good examples of
467 | resources which would benefit from as much isolation as possible. For real-life examples, consider:
468 | 
469 | *   <a href="https://myaccount.google.com/">`https://myaccount.google.com/`</a>
470 | 
471 | 
472 | ### Documents Expecting to Open Cross-Origin Windows ### {#documents-with-popups}
473 | 
474 | Not every document that requires sign-in can be fully-isolated from the rest of the internet. It's
475 | often the case that partial isolation is a better fit. Consider sites that depend upon cross-origin
476 | windows for federated workflows involving payments or sign-in, for example. These pages would
477 | generally benefit from restricting attackers' ability to embed them, or obtain their window handle,
478 | but they can't easily lock themselves off from all such vectors via
479 | `Cross-Origin-Opener-Policy: same-origin` and `X-Frame-Options: DENY`. In these cases, something
480 | like the following set of response headers might be appropriate:
481 | 
482 | <pre highlight="http">
483 | Cross-Origin-Opener-Policy: same-origin-allow-popups
484 | Cross-Origin-Resource-Policy: same-origin
485 | Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Sec-Fetch-User
486 | X-Content-Type-Options: nosniff
487 | X-Frame-Options: SAMEORIGIN
488 | </pre>
489 | 
490 | The only difference between this case and the "Fully-Isolated" case above is the
491 | `Cross-Origin-Opener-Policy` value. `same-origin` will break the opener relationship between the
492 | document and any cross-origin window, regardless of who opened whom.
493 | `same-origin-allow-popups` will break cross-origin opener relationships initiated by a cross-origin
494 | document's use of `window.open()`, but will allow the asserting document to open cross-origin
495 | windows that retain an opener relationship.
496 | 
497 | 
498 | ### Documents Expecting Cross-Origin Openers ### {#documents-as-popups}
499 | 
500 | Federated sign-in forms and payment providers are clear examples of documents which intend to be
501 | opened by cross-origin windows, and require that relationship to be maintained in order to
502 | facilitate communication via channels like {{Window/postMessage(message, options)}} or navigation.
503 | These documents cannot isolate themselves completely, but can prevent themselves from being embedded
504 | or fetched cross-origin. Three scenarios are worth considering:
505 | 
506 | 1.  Documents that only wish to be opened in cross-origin popups could loosen their cross-origin
507 |     opener policy by serving the following headers:
508 |     
509 |     <pre highlight="http">
510 |     Cross-Origin-Resource-Policy: same-origin
511 |     <strong>Cross-Origin-Opener-Policy: unsafe-none</strong>
512 |     Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Sec-Fetch-User
513 |     X-Content-Type-Options: nosniff
514 |     X-Frame-Options: SAMEORIGIN
515 |     </pre>
516 | 
517 |     For example:
518 | 
519 |     *   ISSUE: Find some links.
520 | 
521 | 2.  Documents that only wish to be framed in cross-origin contexts could loosen their framing
522 |     protections by serving the following headers:
523 | 
524 |     <pre highlight="http">
525 |     Cross-Origin-Resource-Policy: same-origin
526 |     Cross-Origin-Opener-Policy: same-origin
527 |     Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Sec-Fetch-User
528 |     X-Content-Type-Options: nosniff
529 |     <strong>X-Frame-Options: ALLOWALL</strong>
530 |     </pre>
531 | 
532 |     <div class="note">
533 |         Note: That this allows embedding by any cross-origin documents. That's reasonable for some
534 |         widgety use cases, but when possible, a more secure alternative would specify a list of origins
535 |         which are allowed to embed the document via the [=frame-ancestors=] CSP directive. That is, in
536 |         addition to the `X-Frame-Options` header above, the following header could also be included to
537 |         restrict the document to a short list of trusted embedders:
538 | 
539 |         <pre highlight="http">
540 |         Content-Security-Policy: frame-ancestors https://trusted1.example https://trusted2.example
541 |         </pre>
542 |     </div>
543 | 
544 |     For example:
545 | 
546 |     *   ISSUE: Find some links.
547 | 
548 | 3.  Documents that support both popup and framing scenarios need to loosen both their cross-origin
549 |     opener policies and framing protections by combining the recommendations above, serving the
550 |     following headers:
551 | 
552 |     <pre class="lang-http">
553 |     Cross-Origin-Resource-Policy: same-origin
554 |     <strong>Cross-Origin-Opener-Policy: unsafe-none</strong>
555 |     Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site, Sec-Fetch-User
556 |     X-Content-Type-Options: nosniff
557 |     <strong>X-Frame-Options: ALLOWALL</strong>
558 |     </pre>
559 | 
560 |     For example:
561 | 
562 |     *   ISSUE: Find some links.
563 | 
564 | Implementation Considerations {#considerations}
565 | ===============================================
566 | 
567 | Explicitly Setting Headers with Default Values {#explicit-defaults}
568 | -------------------------------------------------------------------
569 | 
570 | Several recommendations above suggest that developers would be well-served to set headers like
571 | `X-Frame-Options: ALLOWALL` or `Cross-Origin-Opener-Policy: unsafe-none` on responses. These
572 | map to the web's status quo behavior, and seem therefore superfluous. Why should developers
573 | set them?
574 | 
575 | The core reason is that these defaults are poor fits for today's threats, and we ought to be working
576 | to change them. Proposals like [[EMBEDDING-REQUIRES-OPT-IN]] and [[COOP-BY-DEFAULT]] suggest that
577 | we shift the web's defaults away from requiring developers to opt-into more secure behaviors by
578 | making them opt-out rather than opt-in. This would place the configuration cost on those developers
579 | whose projects require risky settings.
580 | 
581 | This document recommends setting those less-secure header values explicitly, as that makes it more
582 | likely that we'll be able to shift the web's defaults in the future.
583 | 
584 | Isolating Local-Scheme Frames {#local-scheme-frames}
585 | ----------------------------------------------------
586 | 
587 | Note that frames loaded from local schemes will generally inherit policies applied to the document
588 | which created them, and may end up in-process with that document if the stars align unfortunately.
589 | Developers are encouraged to explicitly shift these documents to opaque origins, either by using
590 | `data:` URLs directly, or by applying a <{iframe/sandbox}> attribute to frames created using
591 | `<iframe srcdoc="...">`, `blob:` URLs, and so on.
592 | 
593 | Likewise, user agents are encouraged to take <{iframe/sandbox}> attributes into account when
594 | allocating processes for framed documents, and to align the process boundary with the origin
595 | boundary whenever possible.
596 | 
597 | 
598 | Acknowledgements {#acks}
599 | ========================
600 | 
601 | This document relies upon a number of excellent resources that spell out much of the foundation
602 | of our understanding of Spectre's implications for the web, and justify the mitigation strategies
603 | we currently espouse. The following is an incomplete list of those works:
604 | 
605 | [[APPLICATION-PRINCIPALS]], [[LONG-TERM-MITIGATIONS]], [[SPECTRE-SHAPED-WEB]],
606 | [[POST-SPECTRE-RETHINK]], [[SPILLING-THE-BEANS]], [[CROSS-ORIGIN-EMBEDDER-POLICY]],
607 | [[CROSS-ORIGIN-OPENER-POLICY-EXPLAINER]], [[COOP-COEP-EXPLAINED]],
608 | [[SAFELY-REVIVING-SHARED-MEMORY]], [[COI-THREAT-MODEL]]
609 | 


--------------------------------------------------------------------------------
/fpwd.html:
--------------------------------------------------------------------------------
   1 | <!doctype html><html lang="en">
   2 |  <head>
   3 |   <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
   4 |   <meta content="width=device-width, initial-scale=1, shrink-to-fit=no" name="viewport">
   5 |   <title>Post-Spectre Web Development</title>
   6 |   <meta content="WD" name="w3c-status">
   7 |   <link href="https://www.w3.org/StyleSheets/TR/2016/W3C-WD" rel="stylesheet" type="text/css">
   8 |   <meta content="Bikeshed version b9f8371cc, updated Fri Mar 5 18:35:23 2021 -0800" name="generator">
   9 |   <link href="https://www.w3.org/TR/post-spectre-webdev/" rel="canonical">
  10 |   <meta content="4ac42b4ab9380dc66a782abc584db9c6f3118f9f" name="document-revision">
  11 | <style>/* style-autolinks */
  12 | 
  13 | .css.css, .property.property, .descriptor.descriptor {
  14 |     color: var(--a-normal-text);
  15 |     font-size: inherit;
  16 |     font-family: inherit;
  17 | }
  18 | .css::before, .property::before, .descriptor::before {
  19 |     content: "‘";
  20 | }
  21 | .css::after, .property::after, .descriptor::after {
  22 |     content: "’";
  23 | }
  24 | .property, .descriptor {
  25 |     /* Don't wrap property and descriptor names */
  26 |     white-space: nowrap;
  27 | }
  28 | .type { /* CSS value <type> */
  29 |     font-style: italic;
  30 | }
  31 | pre .property::before, pre .property::after {
  32 |     content: "";
  33 | }
  34 | [data-link-type="property"]::before,
  35 | [data-link-type="propdesc"]::before,
  36 | [data-link-type="descriptor"]::before,
  37 | [data-link-type="value"]::before,
  38 | [data-link-type="function"]::before,
  39 | [data-link-type="at-rule"]::before,
  40 | [data-link-type="selector"]::before,
  41 | [data-link-type="maybe"]::before {
  42 |     content: "‘";
  43 | }
  44 | [data-link-type="property"]::after,
  45 | [data-link-type="propdesc"]::after,
  46 | [data-link-type="descriptor"]::after,
  47 | [data-link-type="value"]::after,
  48 | [data-link-type="function"]::after,
  49 | [data-link-type="at-rule"]::after,
  50 | [data-link-type="selector"]::after,
  51 | [data-link-type="maybe"]::after {
  52 |     content: "’";
  53 | }
  54 | 
  55 | [data-link-type].production::before,
  56 | [data-link-type].production::after,
  57 | .prod [data-link-type]::before,
  58 | .prod [data-link-type]::after {
  59 |     content: "";
  60 | }
  61 | 
  62 | [data-link-type=element],
  63 | [data-link-type=element-attr] {
  64 |     font-family: Menlo, Consolas, "DejaVu Sans Mono", monospace;
  65 |     font-size: .9em;
  66 | }
  67 | [data-link-type=element]::before { content: "<" }
  68 | [data-link-type=element]::after  { content: ">" }
  69 | 
  70 | [data-link-type=biblio] {
  71 |     white-space: pre;
  72 | }</style>
  73 | <style>/* style-counters */
  74 | 
  75 | body {
  76 |     counter-reset: example figure issue;
  77 | }
  78 | .issue {
  79 |     counter-increment: issue;
  80 | }
  81 | .issue:not(.no-marker)::before {
  82 |     content: "Issue " counter(issue);
  83 | }
  84 | 
  85 | .example {
  86 |     counter-increment: example;
  87 | }
  88 | .example:not(.no-marker)::before {
  89 |     content: "Example " counter(example);
  90 | }
  91 | .invalid.example:not(.no-marker)::before,
  92 | .illegal.example:not(.no-marker)::before {
  93 |     content: "Invalid Example" counter(example);
  94 | }
  95 | 
  96 | figcaption {
  97 |     counter-increment: figure;
  98 | }
  99 | figcaption:not(.no-marker)::before {
 100 |     content: "Figure " counter(figure) " ";
 101 | }</style>
 102 | <style>/* style-dfn-panel */
 103 | 
 104 | :root {
 105 |     --dfnpanel-bg: #ddd;
 106 |     --dfnpanel-text: var(--text);
 107 | }
 108 | .dfn-panel {
 109 |     position: absolute;
 110 |     z-index: 35;
 111 |     height: auto;
 112 |     width: -webkit-fit-content;
 113 |     width: fit-content;
 114 |     max-width: 300px;
 115 |     max-height: 500px;
 116 |     overflow: auto;
 117 |     padding: 0.5em 0.75em;
 118 |     font: small Helvetica Neue, sans-serif, Droid Sans Fallback;
 119 |     background: var(--dfnpanel-bg);
 120 |     color: var(--dfnpanel-text);
 121 |     border: outset 0.2em;
 122 | }
 123 | .dfn-panel:not(.on) { display: none; }
 124 | .dfn-panel * { margin: 0; padding: 0; text-indent: 0; }
 125 | .dfn-panel > b { display: block; }
 126 | .dfn-panel a { color: var(--dfnpanel-text); }
 127 | .dfn-panel a:not(:hover) { text-decoration: none !important; border-bottom: none !important; }
 128 | .dfn-panel > b + b { margin-top: 0.25em; }
 129 | .dfn-panel ul { padding: 0; }
 130 | .dfn-panel li { list-style: inside; }
 131 | .dfn-panel.activated {
 132 |     display: inline-block;
 133 |     position: fixed;
 134 |     left: .5em;
 135 |     bottom: 2em;
 136 |     margin: 0 auto;
 137 |     max-width: calc(100vw - 1.5em - .4em - .5em);
 138 |     max-height: 30vh;
 139 | }
 140 | 
 141 | .dfn-paneled { cursor: pointer; }
 142 | </style>
 143 | <style>/* style-md-lists */
 144 | 
 145 | /* This is a weird hack for me not yet following the commonmark spec
 146 |    regarding paragraph and lists. */
 147 | [data-md] > :first-child {
 148 |     margin-top: 0;
 149 | }
 150 | [data-md] > :last-child {
 151 |     margin-bottom: 0;
 152 | }</style>
 153 | <style>/* style-selflinks */
 154 | 
 155 | :root {
 156 |     --selflink-text: white;
 157 |     --selflink-bg: gray;
 158 |     --selflink-hover-text: black;
 159 | }
 160 | .heading, .issue, .note, .example, li, dt {
 161 |     position: relative;
 162 | }
 163 | a.self-link {
 164 |     position: absolute;
 165 |     top: 0;
 166 |     left: calc(-1 * (3.5rem - 26px));
 167 |     width: calc(3.5rem - 26px);
 168 |     height: 2em;
 169 |     text-align: center;
 170 |     border: none;
 171 |     transition: opacity .2s;
 172 |     opacity: .5;
 173 | }
 174 | a.self-link:hover {
 175 |     opacity: 1;
 176 | }
 177 | .heading > a.self-link {
 178 |     font-size: 83%;
 179 | }
 180 | li > a.self-link {
 181 |     left: calc(-1 * (3.5rem - 26px) - 2em);
 182 | }
 183 | dfn > a.self-link {
 184 |     top: auto;
 185 |     left: auto;
 186 |     opacity: 0;
 187 |     width: 1.5em;
 188 |     height: 1.5em;
 189 |     background: var(--selflink-bg);
 190 |     color: var(--selflink-text);
 191 |     font-style: normal;
 192 |     transition: opacity .2s, background-color .2s, color .2s;
 193 | }
 194 | dfn:hover > a.self-link {
 195 |     opacity: 1;
 196 | }
 197 | dfn > a.self-link:hover {
 198 |     color: var(--selflink-hover-text);
 199 | }
 200 | 
 201 | a.self-link::before            { content: "¶"; }
 202 | .heading > a.self-link::before { content: "§"; }
 203 | dfn > a.self-link::before      { content: "#"; }
 204 | </style>
 205 | <style>/* style-syntax-highlighting */
 206 | 
 207 | code.highlight { padding: .1em; border-radius: .3em; }
 208 | pre.highlight, pre > code.highlight { display: block; padding: 1em; margin: .5em 0; overflow: auto; border-radius: 0; }
 209 | 
 210 | .highlight:not(.idl) { background: rgba(0, 0, 0, .03); }
 211 | c-[a] { color: #990055 } /* Keyword.Declaration */
 212 | c-[b] { color: #990055 } /* Keyword.Type */
 213 | c-[c] { color: #708090 } /* Comment */
 214 | c-[d] { color: #708090 } /* Comment.Multiline */
 215 | c-[e] { color: #0077aa } /* Name.Attribute */
 216 | c-[f] { color: #669900 } /* Name.Tag */
 217 | c-[g] { color: #222222 } /* Name.Variable */
 218 | c-[k] { color: #990055 } /* Keyword */
 219 | c-[l] { color: #000000 } /* Literal */
 220 | c-[m] { color: #000000 } /* Literal.Number */
 221 | c-[n] { color: #0077aa } /* Name */
 222 | c-[o] { color: #999999 } /* Operator */
 223 | c-[p] { color: #999999 } /* Punctuation */
 224 | c-[s] { color: #a67f59 } /* Literal.String */
 225 | c-[t] { color: #a67f59 } /* Literal.String.Single */
 226 | c-[u] { color: #a67f59 } /* Literal.String.Double */
 227 | c-[cp] { color: #708090 } /* Comment.Preproc */
 228 | c-[c1] { color: #708090 } /* Comment.Single */
 229 | c-[cs] { color: #708090 } /* Comment.Special */
 230 | c-[kc] { color: #990055 } /* Keyword.Constant */
 231 | c-[kn] { color: #990055 } /* Keyword.Namespace */
 232 | c-[kp] { color: #990055 } /* Keyword.Pseudo */
 233 | c-[kr] { color: #990055 } /* Keyword.Reserved */
 234 | c-[ld] { color: #000000 } /* Literal.Date */
 235 | c-[nc] { color: #0077aa } /* Name.Class */
 236 | c-[no] { color: #0077aa } /* Name.Constant */
 237 | c-[nd] { color: #0077aa } /* Name.Decorator */
 238 | c-[ni] { color: #0077aa } /* Name.Entity */
 239 | c-[ne] { color: #0077aa } /* Name.Exception */
 240 | c-[nf] { color: #0077aa } /* Name.Function */
 241 | c-[nl] { color: #0077aa } /* Name.Label */
 242 | c-[nn] { color: #0077aa } /* Name.Namespace */
 243 | c-[py] { color: #0077aa } /* Name.Property */
 244 | c-[ow] { color: #999999 } /* Operator.Word */
 245 | c-[mb] { color: #000000 } /* Literal.Number.Bin */
 246 | c-[mf] { color: #000000 } /* Literal.Number.Float */
 247 | c-[mh] { color: #000000 } /* Literal.Number.Hex */
 248 | c-[mi] { color: #000000 } /* Literal.Number.Integer */
 249 | c-[mo] { color: #000000 } /* Literal.Number.Oct */
 250 | c-[sb] { color: #a67f59 } /* Literal.String.Backtick */
 251 | c-[sc] { color: #a67f59 } /* Literal.String.Char */
 252 | c-[sd] { color: #a67f59 } /* Literal.String.Doc */
 253 | c-[se] { color: #a67f59 } /* Literal.String.Escape */
 254 | c-[sh] { color: #a67f59 } /* Literal.String.Heredoc */
 255 | c-[si] { color: #a67f59 } /* Literal.String.Interpol */
 256 | c-[sx] { color: #a67f59 } /* Literal.String.Other */
 257 | c-[sr] { color: #a67f59 } /* Literal.String.Regex */
 258 | c-[ss] { color: #a67f59 } /* Literal.String.Symbol */
 259 | c-[vc] { color: #0077aa } /* Name.Variable.Class */
 260 | c-[vg] { color: #0077aa } /* Name.Variable.Global */
 261 | c-[vi] { color: #0077aa } /* Name.Variable.Instance */
 262 | c-[il] { color: #000000 } /* Literal.Number.Integer.Long */
 263 | </style>
 264 |  <body class="h-entry">
 265 |   <div class="head">
 266 |    <p data-fill-with="logo"><a class="logo" href="https://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2016/logos/W3C" width="72"> </a> </p>
 267 |    <h1 class="p-name no-ref" id="title">Post-Spectre Web Development</h1>
 268 |    <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">W3C First Public Working Draft, <time class="dt-updated" datetime="2021-03-16">16 March 2021</time></span></h2>
 269 |    <div data-fill-with="spec-metadata">
 270 |     <dl>
 271 |      <dt>This version:
 272 |      <dd><a class="u-url" href="https://www.w3.org/TR/2021/WD-post-spectre-webdev-20210316/">https://www.w3.org/TR/2021/WD-post-spectre-webdev-20210316/</a>
 273 |      <dt>Latest published version:
 274 |      <dd><a href="https://www.w3.org/TR/post-spectre-webdev/">https://www.w3.org/TR/post-spectre-webdev/</a>
 275 |      <dt>Editor's Draft:
 276 |      <dd><a href="https://w3c.github.io/webappsec-post-spectre-webdev/">https://w3c.github.io/webappsec-post-spectre-webdev/</a>
 277 |      <dt>Feedback:
 278 |      <dd><span><a href="mailto:public-webappsec@w3.org?subject=%5Bpost-spectre-webdev%5D%20YOUR%20TOPIC%20HERE">public-webappsec@w3.org</a> with subject line “<kbd>[post-spectre-webdev] <i data-lt>… message topic …</i></kbd>” (<a href="https://lists.w3.org/Archives/Public/public-webappsec/" rel="discussion">archives</a>)</span>
 279 |      <dt>Issue Tracking:
 280 |      <dd><a href="https://github.com/w3c/webappsec-post-spectre-webdev/issues/">GitHub</a>
 281 |      <dd><a href="#issues-index">Inline In Spec</a>
 282 |      <dt class="editor">Editor:
 283 |      <dd class="editor p-author h-card vcard" data-editor-id="56384"><a class="p-name fn u-email email" href="mailto:mkwst@google.com">Mike West</a> (<span class="p-org org">Google</span>)
 284 |     </dl>
 285 |    </div>
 286 |    <div data-fill-with="warning"></div>
 287 |    <p class="copyright" data-fill-with="copyright"><a href="https://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © 2021 <a href="https://www.w3.org/"><abbr title="World Wide Web Consortium">W3C</abbr></a><sup>®</sup> (<a href="https://www.csail.mit.edu/"><abbr title="Massachusetts Institute of Technology">MIT</abbr></a>, <a href="https://www.ercim.eu/"><abbr title="European Research Consortium for Informatics and Mathematics">ERCIM</abbr></a>, <a href="https://www.keio.ac.jp/">Keio</a>, <a href="https://ev.buaa.edu.cn/">Beihang</a>). W3C <a href="https://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">liability</a>, <a href="https://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a> and <a href="https://www.w3.org/Consortium/Legal/copyright-documents">document use</a> rules apply. </p>
 288 |    <hr title="Separator for header">
 289 |   </div>
 290 |   <div class="p-summary" data-fill-with="abstract">
 291 |    <h2 class="no-num no-toc no-ref heading settled" id="abstract"><span class="content">Abstract</span></h2>
 292 |    <p>Post-Spectre, we need to adopt some new strategies for safe and secure web development. This
 293 | 
 294 |     document outlines a threat model we can share, and a set of mitigation recommendations.</p>
 295 |    <p><strong>TL;DR</strong>: Your data must not unexpectedly enter an attacker’s process.</p>
 296 |   </div>
 297 |   <h2 class="no-num no-toc no-ref heading settled" id="status"><span class="content">Status of this document</span></h2>
 298 |   <div data-fill-with="status">
 299 |    <p> <em>This section describes the status of this document at the time of
 300 |   its publication. Other documents may supersede this document. A list of
 301 |   current W3C publications and the latest revision of this technical report
 302 |   can be found in the <a href="https://www.w3.org/TR/">W3C technical reports
 303 |   index at https://www.w3.org/TR/.</a></em> </p>
 304 |    <p> This document was published by the <a href="https://www.w3.org/2011/webappsec/">Web Application Security Working Group</a> as a Working Draft. This document is intended to become a W3C Working Group Note. </p>
 305 |    <p> The (<a href="https://lists.w3.org/Archives/Public/public-webappsec/">archived</a>) public mailing list <a href="mailto:public-webappsec@w3.org?Subject=%5Bpost-spectre-webdev%5D%20PUT%20SUBJECT%20HERE">public-webappsec@w3.org</a> (see <a href="https://www.w3.org/Mail/Request">instructions</a>)
 306 | 	is preferred for discussion of this specification.
 307 | 	When sending e-mail,
 308 | 	please put the text “post-spectre-webdev” in the subject,
 309 | 	preferably like this:
 310 | 	“[post-spectre-webdev] <em>…summary of comment…</em>” </p>
 311 |    <p> This document is a <strong>First Public Working Draft</strong>. </p>
 312 |    <p> Publication as a First Public Working Draft does not imply endorsement by the W3C
 313 |   Membership. This is a draft document and may be updated, replaced or
 314 |   obsoleted by other documents at any time. It is inappropriate to cite this
 315 |   document as other than work in progress. </p>
 316 |    <p> This document was produced by the <a href="https://www.w3.org/2011/webappsec/">Web Application Security Working Group</a>. </p>
 317 |    <p> This document was produced by a group operating under
 318 | 	the <a href="https://www.w3.org/Consortium/Patent-Policy-20170801/">W3C Patent Policy</a>.
 319 | 	The group does not expect this document to become a W3C Recommendation.
 320 | 	W3C maintains a <a href="https://www.w3.org/2004/01/pp-impl/49309/status" rel="disclosure">public list of any patent disclosures</a> made in connection with the deliverables of the group;
 321 | 	that page also includes instructions for disclosing a patent.
 322 | 	An individual who has actual knowledge of a patent which the individual believes contains <a href="https://www.w3.org/Consortium/Patent-Policy-20170801/#def-essential">Essential Claim(s)</a> must disclose the information in accordance with <a href="https://www.w3.org/Consortium/Patent-Policy-20170801/#sec-Disclosure">section 6 of the W3C Patent Policy</a>. </p>
 323 |    <p> This document is governed by the <a href="https://www.w3.org/2020/Process-20200915/" id="w3c_process_revision">15 September 2020 W3C Process Document</a>. </p>
 324 |    <p></p>
 325 |   </div>
 326 |   <div data-fill-with="at-risk"></div>
 327 |   <nav data-fill-with="table-of-contents" id="toc">
 328 |    <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
 329 |    <ol class="toc" role="directory">
 330 |     <li>
 331 |      <a href="#intro"><span class="secno">1</span> <span class="content">Introduction</span></a>
 332 |      <ol class="toc">
 333 |       <li><a href="#threat-model"><span class="secno">1.1</span> <span class="content">Threat Model</span></a>
 334 |       <li><a href="#tldr"><span class="secno">1.2</span> <span class="content">TL;DR</span></a>
 335 |      </ol>
 336 |     <li>
 337 |      <a href="#examples"><span class="secno">2</span> <span class="content">Practical Examples</span></a>
 338 |      <ol class="toc">
 339 |       <li>
 340 |        <a href="#subresources"><span class="secno">2.1</span> <span class="content">Subresources</span></a>
 341 |        <ol class="toc">
 342 |         <li><a href="#static-subresources"><span class="secno">2.1.1</span> <span class="content">Static Subresources</span></a>
 343 |         <li><a href="#dynamic-subresources"><span class="secno">2.1.2</span> <span class="content">Dynamic Subresources</span></a>
 344 |        </ol>
 345 |       <li>
 346 |        <a href="#documents"><span class="secno">2.2</span> <span class="content">Documents</span></a>
 347 |        <ol class="toc">
 348 |         <li><a href="#documents-isolated"><span class="secno">2.2.1</span> <span class="content">Fully-Isolated Documents</span></a>
 349 |         <li><a href="#documents-with-popups"><span class="secno">2.2.2</span> <span class="content">Documents Expecting to Open Cross-Origin Windows</span></a>
 350 |         <li><a href="#documents-as-popups"><span class="secno">2.2.3</span> <span class="content">Documents Expecting Cross-Origin Openers</span></a>
 351 |        </ol>
 352 |      </ol>
 353 |     <li>
 354 |      <a href="#considerations"><span class="secno">3</span> <span class="content">Implementation Considerations</span></a>
 355 |      <ol class="toc">
 356 |       <li><a href="#explicit-defaults"><span class="secno">3.1</span> <span class="content">Explicitly Setting Headers with Default Values</span></a>
 357 |      </ol>
 358 |     <li><a href="#acks"><span class="secno">4</span> <span class="content">Acknowledgements</span></a>
 359 |     <li>
 360 |      <a href="#conformance"><span class="secno"></span> <span class="content">Conformance</span></a>
 361 |      <ol class="toc">
 362 |       <li><a href="#conventions"><span class="secno"></span> <span class="content">Document conventions</span></a>
 363 |       <li><a href="#conformant-algorithms"><span class="secno"></span> <span class="content">Conformant Algorithms</span></a>
 364 |      </ol>
 365 |     <li>
 366 |      <a href="#index"><span class="secno"></span> <span class="content">Index</span></a>
 367 |      <ol class="toc">
 368 |       <li><a href="#index-defined-elsewhere"><span class="secno"></span> <span class="content">Terms defined by reference</span></a>
 369 |      </ol>
 370 |     <li>
 371 |      <a href="#references"><span class="secno"></span> <span class="content">References</span></a>
 372 |      <ol class="toc">
 373 |       <li><a href="#normative"><span class="secno"></span> <span class="content">Normative References</span></a>
 374 |       <li><a href="#informative"><span class="secno"></span> <span class="content">Informative References</span></a>
 375 |      </ol>
 376 |     <li><a href="#issues-index"><span class="secno"></span> <span class="content">Issues Index</span></a>
 377 |    </ol>
 378 |   </nav>
 379 |   <main>
 380 |    <h2 class="heading settled" data-level="1" id="intro"><span class="secno">1. </span><span class="content">Introduction</span><a class="self-link" href="#intro"></a></h2>
 381 |    <p>In early 2018, Spectre made it clear that a foundational security boundary the web aimed to
 382 | maintain was substantially less robust than expected. <a data-link-type="biblio" href="#biblio-spectre">[SPECTRE]</a> This revelation has pushed web
 383 | browsers to shift their focus from the platform-level <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin">origin</a> boundary to an OS-level
 384 | process boundary. Chromium’s threat model, for instance, now asserts that "active web content …
 385 | will be able to read any and all data in the address space of the process that hosts it". <a data-link-type="biblio" href="#biblio-post-spectre-rethink">[POST-SPECTRE-RETHINK]</a> This shift in thinking imposes a shift in development practice, both
 386 | for browser vendors, and for web developers. Browsers need to align the origin boundary with the
 387 | process boundary through fundamental refactoring projects (for example, <a data-link-type="biblio" href="#biblio-site-isolation">[SITE-ISOLATION]</a> and <a data-link-type="biblio" href="#biblio-project-fission">[PROJECT-FISSION]</a>). Moreover, browsers must provide web developers with tools to mitigate risk
 388 | in the short term, and should push the platform towards safe default behaviors in the long term.
 389 | The bad news is that this is going to be a lot of work, much of it falling on the shoulders of
 390 | web developers. The good news is that a reasonable set of mitigation primitives exists today,
 391 | ready and waiting for use.</p>
 392 |    <p>This document will summarize the threat model which the Web Application Security Working Group
 393 | espouses, point to a set of mitigations which seem promising, and provide concrete recommendations
 394 | for developers responsible for protecting users' data.</p>
 395 |    <h3 class="heading settled" data-level="1.1" id="threat-model"><span class="secno">1.1. </span><span class="content">Threat Model</span><a class="self-link" href="#threat-model"></a></h3>
 396 |    <p>Spectre-like side-channel attacks inexorably lead to a model in which active web content
 397 | (JavaScript, WASM, probably CSS if we tried hard enough, and so on) can read any and all data which
 398 | has entered the address space of the process which hosts it. While this has deep implications for
 399 | user agent implementations' internal hardening strategies (stack canaries, ASLR, etc), here we’ll
 400 | remain focused on the core implication at the web platform level, which is both simple and profound:
 401 | any data which flows into a process hosting a given origin is legible to that origin. We must design
 402 | accordingly.</p>
 403 |    <p>In order to determine the scope of data that can be assumed accessible to an attacker, we must make
 404 | a few assumptions about the normally-not-web-exposed process model which the user agent implements.
 405 | The following seems like a good place to start:</p>
 406 |    <ol>
 407 |     <li data-md>
 408 |      <p>User agents are capable of separating the execution of a web origin’s code into a process
 409 | distinct from the agent’s core. This separation enables the agent itself to access local
 410 | devices, fetch resources, broker cross-process communication, and so on, in a way which remains
 411 | invisible to any process potentially hosting untrusted code.</p>
 412 |     <li data-md>
 413 |      <p>User agents are able to make decisions about whether or not a given resource should be delivered
 414 | to a process hosting a given origin based on characteristics of both the request and the
 415 | response (headers, etc).</p>
 416 |     <li data-md>
 417 |      <p>User agents can consistently separate top-level, cross-origin windows into distinct processes.
 418 | They cannot consistently separate same-site or same-origin windows into distinct processes given
 419 | the potential for synchronous access between the windows.</p>
 420 |     <li data-md>
 421 |      <p>User agents cannot yet consistently seperate framed origins into processes distinct from their
 422 | embedders' origin.</p>
 423 |      <p class="note" role="note"><span>Note:</span> Though some user agents support out-of-process frames <a data-link-type="biblio" href="#biblio-oopif">[OOPIF]</a>, no agent supports it
 424 | consistently across a broad range of devices and platforms. Ideally this will change over time,
 425 | as the frame boundary <em>must</em> be one we can eventually consider robust.</p>
 426 |    </ol>
 427 |    <p>With this in mind, our general assumption will be that an origin gains access to any resource which
 428 | it renders (including images, stylesheets, scripts, frames, etc). Likewise, embedded frames gain
 429 | access to their ancestors' content.</p>
 430 |    <p class="issue" id="issue-340f57a5"><a class="self-link" href="#issue-340f57a5"></a> <a data-link-type="biblio" href="#biblio-coi-threat-model">[COI-THREAT-MODEL]</a> spells out more implications. Bring them in here for more nuance.</p>
 431 |    <h3 class="heading settled" data-level="1.2" id="tldr"><span class="secno">1.2. </span><span class="content">TL;DR</span><a class="self-link" href="#tldr"></a></h3>
 432 |    <ol>
 433 |     <li data-md>
 434 |      <p><strong>Decide when (not!) to respond to requests</strong> by examining incoming headers, paying special
 435 | attention to the <a data-link-type="http-header" href="https://fetch.spec.whatwg.org/#origin-header" id="ref-for-origin-header"><code>Origin</code></a> header on the one hand, and various <code>Sec-Fetch-</code> prefixed headers on the other, as described in <a data-link-type="biblio" href="#biblio-resource-isolation-policy">[resource-isolation-policy]</a>.</p>
 436 |     <li data-md>
 437 |      <p><strong>Restrict attackers' ability to load your data as a subresource</strong> by setting a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#http-cross-origin-resource-policy" id="ref-for-http-cross-origin-resource-policy">cross-origin resource policy</a> (CORP) of <code>same-origin</code> (opening up to <code>same-site</code> or <code>cross-origin</code> only when necessary).</p>
 438 |     <li data-md>
 439 |      <p><strong>Restrict attackers' ability to frame your data as a document</strong> by opt-ing into framing
 440 | protections via <code>X-Frame-Options: SAMEORIGIN</code> or CSP’s more granular <a data-link-type="dfn" href="https://www.w3.org/TR/CSP3/#frame-ancestors" id="ref-for-frame-ancestors">frame-ancestors</a> directive (<code>frame-ancestors 'self' https://trusted.embedder</code>, for example).</p>
 441 |     <li data-md>
 442 |      <p><strong>Restrict attackers' ability to obtain a handle to your window</strong> by setting a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#cross-origin-opener-policies" id="ref-for-cross-origin-opener-policies">cross-origin opener policy</a> (COOP). In the best case, you can default to a restrictive <code>same-origin</code> value, opening up to <code>same-origin-allow-popups</code> or <code>unsafe-none</code> only if
 443 | necessary.</p>
 444 |     <li data-md>
 445 |      <p><strong>Prevent MIME-type confusion attacks</strong> and increase the robustness of passive defenses like <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#corb" id="ref-for-corb">cross-origin read blocking</a> (CORB) / <a href="https://github.com/annevk/orb">opaque response blocking</a> (<a data-link-type="biblio" href="#biblio-orb">[ORB]</a>) by setting
 446 | correct <code>Content-Type</code> headers, and globally asserting <code>X-Content-Type-Options: nosniff</code>.</p>
 447 |    </ol>
 448 |    <p class="issue" id="issue-db0b0c7b"><a class="self-link" href="#issue-db0b0c7b"></a> Describe these mitigations in more depth, swiping liberally from <a href="https://docs.google.com/document/d/1JBUaX1xSOZRxBk5bRNZWgnzyJoCQC52TIRokACBSmGc/edit?resourcekey=0-cZ7da6v52enjwRSsp_tLyQ">Notes on the threat model of <em>cross-origin isolation</em></a>, <a href="https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k/edit">Safely reviving shared memory</a>, etc.</p>
 449 |    <h2 class="heading settled" data-level="2" id="examples"><span class="secno">2. </span><span class="content">Practical Examples</span><a class="self-link" href="#examples"></a></h2>
 450 |    <h3 class="heading settled" data-level="2.1" id="subresources"><span class="secno">2.1. </span><span class="content">Subresources</span><a class="self-link" href="#subresources"></a></h3>
 451 |    <p>Resources which are intended to be loaded into documents should protect themselves from being used
 452 | in unexpected ways. Before walking through strategies for specific kinds of resources, a few headers
 453 | seem generally applicable:</p>
 454 |    <ol>
 455 |     <li data-md>
 456 |      <p>Sites should use Fetch Metadata to make good decisions about when to serve resources, as
 457 | described in <a data-link-type="biblio" href="#biblio-resource-isolation-policy">[resource-isolation-policy]</a>. In order to ensure that decision sticks, servers
 458 | should explain its decision to the browser by sending a <a data-link-type="http-header" href="https://tools.ietf.org/html/rfc7231#section-7.1.4" id="ref-for-section-7.1.4"><code>Vary</code></a> header
 459 | containing <code>Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site</code>. This ensures that the server has
 460 | a chance to make different decisions for requests which will be <em>used</em> differently.</p>
 461 |     <li data-md>
 462 |      <p>Subresources should opt-out of MIME type sniffing by sending an <a data-link-type="http-header" href="https://fetch.spec.whatwg.org/#http-x-content-type-options" id="ref-for-http-x-content-type-options"><code>X-Content-Type-Options</code></a> header with a value of <code>nosniff</code>. This increases the
 463 | robustness of MIME-based checks like <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#corb" id="ref-for-corb①">cross-origin read blocking</a> (CORB) / <a href="https://github.com/annevk/orb">opaque response blocking</a> (<a data-link-type="biblio" href="#biblio-orb">[ORB]</a>), and mitigates
 464 | some well-known risks around type confusion for scripts.</p>
 465 |     <li data-md>
 466 |      <p>Subresources are intended for inclusion in a given context, not as independently navigable
 467 | documents. To mitigate the risk that navigation to a subresource causes script execution or
 468 | opens an origin up to attack in some other way, servers can assert the following set of headers
 469 | which collectively make it difficult to meaningfully abuse a subresource via navigation:</p>
 470 |      <ul>
 471 |       <li data-md>
 472 |        <p>Using the <a data-link-type="http-header" href="https://www.w3.org/TR/CSP3/#header-content-security-policy" id="ref-for-header-content-security-policy"><code>Content-Security-Policy</code></a> header’s to assert the <a data-link-type="dfn" href="https://www.w3.org/TR/CSP3/#sandbox" id="ref-for-sandbox"><code>sandbox</code></a> directive ensures that these resources remain inactive if navigated to
 473 | directly as a top-level document. No scripts will execute, and the resource will be pushed
 474 | into an <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-opaque" id="ref-for-concept-origin-opaque">opaque origin</a>.</p>
 475 |        <p class="note" role="note"><span>Note:</span> Some servers deliver <code>Content-Disposition: attachment; filename=file.name</code> to obtain
 476 | a similar effect. This was valuable to mitigate vulnerabilies in Flash, but the sandbox
 477 | approach seems to more straightforwardly address the threats we care about today.</p>
 478 |       <li data-md>
 479 |        <p>Asserting the <a data-link-type="http-header" href="https://html.spec.whatwg.org/multipage/origin.html#cross-origin-opener-policies" id="ref-for-cross-origin-opener-policies①"><code>Cross-Origin-Opener-Policy</code></a> header with a value of <code>same-origin</code> prevents cross-origin documents from retaining a handle to the resource’s
 480 | window if it’s opened in a popup.</p>
 481 |       <li data-md>
 482 |        <p>The <a data-link-type="http-header" href="https://html.spec.whatwg.org/multipage/browsing-the-web.html#the-x-frame-options-header" id="ref-for-the-x-frame-options-header"><code>X-Frame-Options</code></a> header with a value of <code>DENY</code> prevents the resource
 483 | from being framed.</p>
 484 |      </ul>
 485 |    </ol>
 486 |    <p>Most subresources, then, should contain the following block of headers, which you’ll see repeated a
 487 | few times below:</p>
 488 | <pre class="highlight">Content-Security-Policy: sandbox
 489 | Cross-Origin-Opener-Policy: same-origin
 490 | Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
 491 | X-Content-Type-Options: nosniff
 492 | X-Frame-Options: DENY
 493 | </pre>
 494 |    <p>With these generic protections in mind, let’s sift through a few scenarios to determine what headers
 495 | a server would be well-served to assert:</p>
 496 |    <h4 class="heading settled" data-level="2.1.1" id="static-subresources"><span class="secno">2.1.1. </span><span class="content">Static Subresources</span><a class="self-link" href="#static-subresources"></a></h4>
 497 |    <p>By their nature, static resources contain the same data no matter who requests them, and therefore
 498 | cannot contain interesting information that an attacker couldn’t otherwise obtain. There’s no risk
 499 | to making these resources widely available, and value in allowing embedders to robustly debug, so
 500 | something like the following response headers could be appropriate:</p>
 501 | <pre class="highlight"><strong>Access-Control-Allow-Origin: *
 502 | Cross-Origin-Resource-Policy: cross-origin
 503 | Timing-Allow-Origin: *</strong>
 504 | Content-Security-Policy: sandbox
 505 | Cross-Origin-Opener-Policy: same-origin
 506 | X-Content-Type-Options: nosniff
 507 | X-Frame-Options: DENY
 508 | </pre>
 509 |    <p class="note" role="note"><span>Note:</span> Purely static resources always respond with the same data, no matter the request. There’s
 510 | therefore little benefit to sending a <code>Vary</code> header: it can be safely omitted for these responses.</p>
 511 |    <p>CDNs are the canonical static resource distribution points, and many use the pattern above. Take
 512 | a look at the following common resources' response headers for inspiration:</p>
 513 |    <ul>
 514 |     <li data-md>
 515 |      <p><a href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.min.js"><code>https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.min.js</code></a></p>
 516 |     <li data-md>
 517 |      <p><a href="https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.min.js"><code>https://cdnjs.cloudflare.com/ajax/libs/jquery/3.5.1/jquery.min.js</code></a></p>
 518 |     <li data-md>
 519 |      <p><a href="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"><code>https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js</code></a></p>
 520 |     <li data-md>
 521 |      <p><a href="https://ssl.google-analytics.com/ga.js"><code>https://ssl.google-analytics.com/ga.js</code></a></p>
 522 |    </ul>
 523 |    <p>Similarly, application-specific static resource servers are a good place to look for this practice. Consider:</p>
 524 |    <ul>
 525 |     <li data-md>
 526 |      <p><a href="https://static.xx.fbcdn.net/rsrc.php/v3/y2/r/zVvRrO8pOtu.png"><code>https://static.xx.fbcdn.net/rsrc.php/v3/y2/r/zVvRrO8pOtu.png</code></a></p>
 527 |     <li data-md>
 528 |      <p><a href="https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg"><code>https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg</code></a></p>
 529 |    </ul>
 530 |    <h4 class="heading settled" data-level="2.1.2" id="dynamic-subresources"><span class="secno">2.1.2. </span><span class="content">Dynamic Subresources</span><a class="self-link" href="#dynamic-subresources"></a></h4>
 531 |    <p>Subresources that contain data personalized to a given user are juicy targets for attackers, and
 532 | must be defended by ensuring that they’re loaded only in ways that are appropriate for the data
 533 | in question. A few cases are well worth considering:</p>
 534 |    <ol>
 535 |     <li data-md>
 536 |      <p>Application-internal resources (private API endpoints, avatar images, uploaded data, etc.)
 537 | should not be available to any cross-origin requestor. These resources should be restricted to
 538 | usage as a subresource in same-origin contexts by sending a <a data-link-type="http-header" href="https://fetch.spec.whatwg.org/#http-cross-origin-resource-policy" id="ref-for-http-cross-origin-resource-policy①"><code>Cross-Origin-Resource-Policy</code></a> header with a value of <code>same-origin</code>:</p>
 539 | <pre class="highlight"><strong>Cross-Origin-Resource-Policy: same-origin</strong>
 540 | Content-Security-Policy: sandbox
 541 | Cross-Origin-Opener-Policy: same-origin
 542 | Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
 543 | X-Content-Type-Options: nosniff
 544 | X-Frame-Options: DENY
 545 | </pre>
 546 |      <p>This header will prevent cross-origin attackers from loading the resource as a response to a <code>no-cors</code> request.</p>
 547 |      <p>For example, examine the headers returned when requesting endpoints like the following:</p>
 548 |      <ul>
 549 |       <li data-md>
 550 |        <p><a href="https://myaccount.google.com/_/AccountSettingsUi/browserinfo"><code>https://myaccount.google.com/_/AccountSettingsUi/browserinfo</code></a></p>
 551 |       <li data-md>
 552 |        <p><a href="https://twitter.com/i/api/1.1/branch/init.json"><code>https://twitter.com/i/api/1.1/branch/init.json</code></a></p>
 553 |       <li data-md>
 554 |        <p><a href="https://www.facebook.com/ajax/webstorage/process_keys/?state=0"><code>https://www.facebook.com/ajax/webstorage/process_keys/?state=0</code></a></p>
 555 |      </ul>
 556 |     <li data-md>
 557 |      <p>Personalized resources intended for cross-origin use (public API endpoints, etc) should
 558 | carefully consider incoming requests' properties before responding. These endpoints can only
 559 | safely be enabled by requiring CORS, and choosing the set of origins for which a given response
 560 | can be exposed by setting the appropriate access-control headers, for example:</p>
 561 | <pre class="highlight"><strong>Access-Control-Allow-Credentials: true
 562 | Access-Control-Allow-Origin: https://trusted.example
 563 | Access-Control-Allow-Methods: POST
 564 | Access-Control-Allow-Headers: ...
 565 | Access-Control-Allow-...: ...
 566 | Cross-Origin-Resource-Policy: same-origin</strong>
 567 | Content-Security-Policy: sandbox
 568 | Cross-Origin-Opener-Policy: same-origin
 569 | Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
 570 | X-Content-Type-Options: nosniff
 571 | X-Frame-Options: DENY
 572 | </pre>
 573 |      <p class="note" role="note"><span>Note:</span> The <code>Cross-Origin-Resource-Policy</code> header is only processed for requests that are _not_
 574 | using CORS for access control ("<code>no-cors</code> requests"). Sending <code>Cross-Origin-Resource-Policy: same-origin</code> is therefore not harmful, and works to ensure that <code>no-cors</code> usage isn’t accidentally allowed.</p>
 575 |      <p>For example, examine the headers returned when requesting endpoints like the following:</p>
 576 |      <ul>
 577 |       <li data-md>
 578 |        <p><a href="https://api.twitter.com/1.1/jot/client_event.json"><code>https://api.twitter.com/1.1/jot/client_event.json</code></a></p>
 579 |       <li data-md>
 580 |        <p><a href="https://play.google.com/log?format=json&amp;hasfast=true"><code>https://play.google.com/log?format=json&amp;hasfast=true</code></a></p>
 581 |       <li data-md>
 582 |        <p><a href="https://securepubads.g.doubleclick.net/pcs/view"><code>https://securepubads.g.doubleclick.net/pcs/view</code></a></p>
 583 |       <li data-md>
 584 |        <p><a href="https://c.amazon-adsystem.com/e/dtb/bid"><code>https://c.amazon-adsystem.com/e/dtb/bid</code></a></p>
 585 |      </ul>
 586 |     <li data-md>
 587 |      <p>Personalized resources that are intended for cross-origin <code>no-cors</code> embedding, but which don’t
 588 | intend to be directly legible in that context (avatar images, authenticated media, etc). These
 589 | should enable cross-origin embedding via <code>Cross-Origin-Resource-Policy</code>, but _not_ via CORS
 590 | access control headers:</p>
 591 | <pre class="highlight"><strong>Cross-Origin-Resource-Policy: cross-origin</strong>
 592 | Content-Security-Policy: sandbox
 593 | Cross-Origin-Opener-Policy: same-origin
 594 | Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
 595 | X-Content-Type-Options: nosniff
 596 | X-Frame-Options: DENY
 597 | </pre>
 598 |      <div class="note" role="note">
 599 |        Note: That this allows the resource to be used by any cross-origin document. That’s
 600 |     reasonable for some use cases, but requiring CORS, and opting-in a small set of origins via
 601 |     appropriate access-control headers is a possible alternative for some resources. This
 602 |     approach will give those contexts trivial access to the resource’s bits, so the granularity
 603 |     is a tradeoff. Still, considering this case to be the same as the "personalized resources
 604 |     intended for cross-origin use" isn’t unreasonable. 
 605 |       <p class="issue" id="issue-ae9c0065"><a class="self-link" href="#issue-ae9c0065"></a> If we implemented more granular bindings for CORP headers (along
 606 |     the lines of <code>Cross-Origin-Resource-Policy: https://trusted.example</code>), we could avoid this
 607 |     tradeoff entirely. <a href="https://github.com/whatwg/fetch/issues/760">&lt;https://github.com/whatwg/fetch/issues/760></a></p>
 608 |      </div>
 609 |      <p>For example:</p>
 610 |      <ul>
 611 |       <li data-md>
 612 |        <p><a href="https://lh3.google.com/u/0/d/1JBUaX1xSOZRxBk5bRNZWgnzyJoCQC52TIRokACBSmGc=w512"><code>https://lh3.google.com/u/0/d/1JBUaX1xSOZRxBk5bRNZWgnzyJoCQC52TIRokACBSmGc=w512</code></a></p>
 613 |      </ul>
 614 |    </ol>
 615 |    <h3 class="heading settled" data-level="2.2" id="documents"><span class="secno">2.2. </span><span class="content">Documents</span><a class="self-link" href="#documents"></a></h3>
 616 |    <h4 class="heading settled" data-level="2.2.1" id="documents-isolated"><span class="secno">2.2.1. </span><span class="content">Fully-Isolated Documents</span><a class="self-link" href="#documents-isolated"></a></h4>
 617 |    <p>Documents that require users to be signed-in almost certainly contain information that shouldn’t be
 618 | revealed to attackers. These pages should take care to isolate themselves from other origins, both
 619 | by making _a priori_ decisions about whether to serve the page at all (see <a data-link-type="biblio" href="#biblio-resource-isolation-policy">[resource-isolation-policy]</a>, for example), and by giving clients careful instructions about how
 620 | the page can be used once delivered. For instance, something like the following set of response
 621 | headers could be appropriate:</p>
 622 | <pre class="highlight">Cross-Origin-Opener-Policy: same-origin
 623 | Cross-Origin-Resource-Policy: same-origin
 624 | Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
 625 | X-Content-Type-Options: nosniff
 626 | X-Frame-Options: SAMEORIGIN
 627 | </pre>
 628 |    <p class="note" role="note"><span>Note:</span> Documents which need to make use of APIs that require full cross-origin isolation (such
 629 | as <code class="idl"><a data-link-type="idl" href="https://tc39.es/ecma262/#sec-sharedarraybuffer-objects" id="ref-for-sec-sharedarraybuffer-objects">SharedArrayBuffer</a></code>), will also need to serve a <code>Cross-Origin-Embedder-Policy</code> header, as
 630 | outlined in <a data-link-type="biblio" href="#biblio-coop-coep">[coop-coep]</a>.</p>
 631 |    <p>Account settings pages, admin panels, and application-specific documents are all good examples of
 632 | resources which would benefit from as much isolation as possible. For real-life examples, consider:</p>
 633 |    <ul>
 634 |     <li data-md>
 635 |      <p><a href="https://myaccount.google.com/"><code>https://myaccount.google.com/</code></a></p>
 636 |    </ul>
 637 |    <h4 class="heading settled" data-level="2.2.2" id="documents-with-popups"><span class="secno">2.2.2. </span><span class="content">Documents Expecting to Open Cross-Origin Windows</span><a class="self-link" href="#documents-with-popups"></a></h4>
 638 |    <p>Not every document that requires sign-in can be fully-isolated from the rest of the internet. It’s
 639 | often the case that partial isolation is a better fit. Consider sites that depend upon cross-origin
 640 | windows for federated workflows involving payments or sign-in, for example. These pages would
 641 | generally benefit from restricting attackers' ability to embed them, or obtain their window handle,
 642 | but they can’t easily lock themselves off from all such vectors via <code>Cross-Origin-Opener-Policy: same-origin</code> and <code>X-Frame-Options: DENY</code>. In these cases, something
 643 | like the following set of response headers might be appropriate:</p>
 644 | <pre class="highlight">Cross-Origin-Opener-Policy: same-origin-allow-popups
 645 | Cross-Origin-Resource-Policy: same-origin
 646 | Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
 647 | X-Content-Type-Options: nosniff
 648 | X-Frame-Options: SAMEORIGIN
 649 | </pre>
 650 |    <p>The only difference between this case and the "Fully-Isolated" case above is the <code>Cross-Origin-Opener-Policy</code> value. <code>same-origin</code> will break the opener relationship between the
 651 | document and any cross-origin window, regardless of who opened whom. <code>same-origin-allow-popups</code> will break cross-origin opener relationships initiated by a cross-origin
 652 | document’s use of <code>window.open()</code>, but will allow the asserting document to open cross-origin
 653 | windows that retain an opener relationship.</p>
 654 |    <h4 class="heading settled" data-level="2.2.3" id="documents-as-popups"><span class="secno">2.2.3. </span><span class="content">Documents Expecting Cross-Origin Openers</span><a class="self-link" href="#documents-as-popups"></a></h4>
 655 |    <p>Federated sign-in forms and payment providers are clear examples of documents which intend to be
 656 | opened by cross-origin windows, and require that relationship to be maintained in order to
 657 | facilitate communication via channels like <code class="idl"><a data-link-type="idl" href="https://html.spec.whatwg.org/multipage/web-messaging.html#dom-window-postmessage-options" id="ref-for-dom-window-postmessage-options">postMessage(message, options)</a></code> or navigation.
 658 | These documents cannot isolate themselves completely, but can prevent themselves from being embedded
 659 | or fetched cross-origin. Three scenarios are worth considering:</p>
 660 |    <ol>
 661 |     <li data-md>
 662 |      <p>Documents that only wish to be opened in cross-origin popups could loosen their cross-origin
 663 | opener policy by serving the following headers:</p>
 664 | <pre class="highlight">Cross-Origin-Resource-Policy: same-origin
 665 | <strong>Cross-Origin-Opener-Policy: unsafe-none</strong>
 666 | Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
 667 | X-Content-Type-Options: nosniff
 668 | X-Frame-Options: SAMEORIGIN
 669 | </pre>
 670 |      <p>For example:</p>
 671 |      <ul>
 672 |       <li data-md>
 673 |        <p class="issue" id="issue-94179e25"><a class="self-link" href="#issue-94179e25"></a> Find some links.</p>
 674 |      </ul>
 675 |     <li data-md>
 676 |      <p>Documents that only wish to be framed in cross-origin contexts could loosen their framing
 677 | protections by serving the following headers:</p>
 678 | <pre class="highlight">Cross-Origin-Resource-Policy: same-origin
 679 | Cross-Origin-Opener-Policy: same-origin
 680 | Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
 681 | X-Content-Type-Options: nosniff
 682 | <strong>X-Frame-Options: ALLOWALL</strong>
 683 | </pre>
 684 |      <div class="note" role="note">
 685 |        Note: That this allows embedding by any cross-origin documents. That’s reasonable for some
 686 |     widgety use cases, but when possible, a more secure alternative would specify a list of origins
 687 |     which are allowed to embed the document via the <a data-link-type="dfn" href="https://www.w3.org/TR/CSP3/#frame-ancestors" id="ref-for-frame-ancestors①">frame-ancestors</a> CSP directive. That is, in
 688 |     addition to the <code>X-Frame-Options</code> header above, the following header could also be included to
 689 |     restrict the document to a short list of trusted embedders: 
 690 | <pre class="highlight">Content-Security-Policy: frame-ancestors https://trusted1.example https://trusted2.example
 691 | </pre>
 692 |      </div>
 693 |      <p>For example:</p>
 694 |      <ul>
 695 |       <li data-md>
 696 |        <p class="issue" id="issue-94179e25①"><a class="self-link" href="#issue-94179e25①"></a> Find some links.</p>
 697 |      </ul>
 698 |     <li data-md>
 699 |      <p>Documents that support both popup and framing scenarios need to loosen both their cross-origin
 700 | opener policies and framing protections by combining the recommendations above, serving the
 701 | following headers:</p>
 702 | <pre class="lang-http highlight">Cross-Origin-Resource-Policy: same-origin
 703 | <strong>Cross-Origin-Opener-Policy: unsafe-none</strong>
 704 | Vary: Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site
 705 | X-Content-Type-Options: nosniff
 706 | <strong>X-Frame-Options: ALLOWALL</strong>
 707 | </pre>
 708 |      <p>For example:</p>
 709 |      <ul>
 710 |       <li data-md>
 711 |        <p class="issue" id="issue-94179e25②"><a class="self-link" href="#issue-94179e25②"></a> Find some links.</p>
 712 |      </ul>
 713 |    </ol>
 714 |    <h2 class="heading settled" data-level="3" id="considerations"><span class="secno">3. </span><span class="content">Implementation Considerations</span><a class="self-link" href="#considerations"></a></h2>
 715 |    <h3 class="heading settled" data-level="3.1" id="explicit-defaults"><span class="secno">3.1. </span><span class="content">Explicitly Setting Headers with Default Values</span><a class="self-link" href="#explicit-defaults"></a></h3>
 716 |    <p>Several recommendations above suggest that developers would be well-served to set headers like <code>X-Frame-Options: ALLOWALL</code> or <code>Cross-Origin-Opener-Policy: unsafe-none</code> on responses. These
 717 | map to the web’s status quo behavior, and seem therefore superfluous. Why should developers
 718 | set them?</p>
 719 |    <p>The core reason is that these defaults are poor fits for today’s threats, and we ought to be working
 720 | to change them. Proposals like <a data-link-type="biblio" href="#biblio-embedding-requires-opt-in">[EMBEDDING-REQUIRES-OPT-IN]</a> and <a data-link-type="biblio" href="#biblio-coop-by-default">[COOP-BY-DEFAULT]</a> suggest that
 721 | we shift the web’s defaults away from requiring developers to opt-into more secure behaviors by
 722 | making them opt-out rather than opt-in. This would place the configuration cost on those developers
 723 | whose projects require risky settings.</p>
 724 |    <p>This document recommends setting those less-secure header values explicitly, as that makes it more
 725 | likely that we’ll be able to shift the web’s defaults in the future.</p>
 726 |    <h2 class="heading settled" data-level="4" id="acks"><span class="secno">4. </span><span class="content">Acknowledgements</span><a class="self-link" href="#acks"></a></h2>
 727 |    <p>This document relies upon a number of excellent resources that spell out much of the foundation
 728 | of our understanding of Spectre’s implications for the web, and justify the mitigation strategies
 729 | we currently espouse. The following is an incomplete list of those works:</p>
 730 |    <p><a data-link-type="biblio" href="#biblio-application-principals">[APPLICATION-PRINCIPALS]</a>, <a data-link-type="biblio" href="#biblio-long-term-mitigations">[LONG-TERM-MITIGATIONS]</a>, <a data-link-type="biblio" href="#biblio-spectre-shaped-web">[SPECTRE-SHAPED-WEB]</a>, <a data-link-type="biblio" href="#biblio-post-spectre-rethink">[POST-SPECTRE-RETHINK]</a>, <a data-link-type="biblio" href="#biblio-spilling-the-beans">[SPILLING-THE-BEANS]</a>, <a data-link-type="biblio" href="#biblio-cross-origin-embedder-policy">[CROSS-ORIGIN-EMBEDDER-POLICY]</a>, <a data-link-type="biblio" href="#biblio-cross-origin-opener-policy-explainer">[CROSS-ORIGIN-OPENER-POLICY-EXPLAINER]</a>, <a data-link-type="biblio" href="#biblio-coop-coep-explained">[COOP-COEP-EXPLAINED]</a>, <a data-link-type="biblio" href="#biblio-safely-reviving-shared-memory">[SAFELY-REVIVING-SHARED-MEMORY]</a>, <a data-link-type="biblio" href="#biblio-coi-threat-model">[COI-THREAT-MODEL]</a></p>
 731 |   </main>
 732 |   <h2 class="no-ref no-num heading settled" id="conformance"><span class="content">Conformance</span><a class="self-link" href="#conformance"></a></h2>
 733 |   <h3 class="no-ref no-num heading settled" id="conventions"><span class="content">Document conventions</span><a class="self-link" href="#conventions"></a></h3>
 734 |   <p>Conformance requirements are expressed with a combination of
 735 |     descriptive assertions and RFC 2119 terminology. The key words “MUST”,
 736 |     “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”,
 737 |     “RECOMMENDED”, “MAY”, and “OPTIONAL” in the normative parts of this
 738 |     document are to be interpreted as described in RFC 2119.
 739 |     However, for readability, these words do not appear in all uppercase
 740 |     letters in this specification. </p>
 741 |   <p>All of the text of this specification is normative except sections
 742 |     explicitly marked as non-normative, examples, and notes. <a data-link-type="biblio" href="#biblio-rfc2119">[RFC2119]</a></p>
 743 |   <p>Examples in this specification are introduced with the words “for example”
 744 |     or are set apart from the normative text with <code>class="example"</code>,
 745 |     like this: </p>
 746 |   <div class="example" id="example-ae2b6bc0">
 747 |    <a class="self-link" href="#example-ae2b6bc0"></a> 
 748 |    <p>This is an example of an informative example.</p>
 749 |   </div>
 750 |   <p>Informative notes begin with the word “Note” and are set apart from the
 751 |     normative text with <code>class="note"</code>, like this: </p>
 752 |   <p class="note" role="note">Note, this is an informative note.</p>
 753 |   <h3 class="no-ref no-num heading settled" id="conformant-algorithms"><span class="content">Conformant Algorithms</span><a class="self-link" href="#conformant-algorithms"></a></h3>
 754 |   <p>Requirements phrased in the imperative as part of algorithms (such as
 755 |     "strip any leading space characters" or "return false and abort these
 756 |     steps") are to be interpreted with the meaning of the key word ("must",
 757 |     "should", "may", etc) used in introducing the algorithm.</p>
 758 |   <p>Conformance requirements phrased as algorithms or specific steps can be
 759 |     implemented in any manner, so long as the end result is equivalent. In
 760 |     particular, the algorithms defined in this specification are intended to
 761 |     be easy to understand and are not intended to be performant. Implementers
 762 |     are encouraged to optimize.</p>
 763 | <script src="https://www.w3.org/scripts/TR/2016/fixup.js"></script>
 764 |   <h2 class="no-num no-ref heading settled" id="index"><span class="content">Index</span><a class="self-link" href="#index"></a></h2>
 765 |   <aside class="dfn-panel" data-for="term-for-header-content-security-policy">
 766 |    <a href="https://www.w3.org/TR/CSP3/#header-content-security-policy">https://www.w3.org/TR/CSP3/#header-content-security-policy</a><b>Referenced in:</b>
 767 |    <ul>
 768 |     <li><a href="#ref-for-header-content-security-policy">2.1. Subresources</a>
 769 |    </ul>
 770 |   </aside>
 771 |   <aside class="dfn-panel" data-for="term-for-frame-ancestors">
 772 |    <a href="https://www.w3.org/TR/CSP3/#frame-ancestors">https://www.w3.org/TR/CSP3/#frame-ancestors</a><b>Referenced in:</b>
 773 |    <ul>
 774 |     <li><a href="#ref-for-frame-ancestors">1.2. TL;DR</a>
 775 |     <li><a href="#ref-for-frame-ancestors①">2.2.3. Documents Expecting Cross-Origin Openers</a>
 776 |    </ul>
 777 |   </aside>
 778 |   <aside class="dfn-panel" data-for="term-for-sandbox">
 779 |    <a href="https://www.w3.org/TR/CSP3/#sandbox">https://www.w3.org/TR/CSP3/#sandbox</a><b>Referenced in:</b>
 780 |    <ul>
 781 |     <li><a href="#ref-for-sandbox">2.1. Subresources</a>
 782 |    </ul>
 783 |   </aside>
 784 |   <aside class="dfn-panel" data-for="term-for-sec-sharedarraybuffer-objects">
 785 |    <a href="https://tc39.es/ecma262/#sec-sharedarraybuffer-objects">https://tc39.es/ecma262/#sec-sharedarraybuffer-objects</a><b>Referenced in:</b>
 786 |    <ul>
 787 |     <li><a href="#ref-for-sec-sharedarraybuffer-objects">2.2.1. Fully-Isolated Documents</a>
 788 |    </ul>
 789 |   </aside>
 790 |   <aside class="dfn-panel" data-for="term-for-corb">
 791 |    <a href="https://fetch.spec.whatwg.org/#corb">https://fetch.spec.whatwg.org/#corb</a><b>Referenced in:</b>
 792 |    <ul>
 793 |     <li><a href="#ref-for-corb">1.2. TL;DR</a>
 794 |     <li><a href="#ref-for-corb①">2.1. Subresources</a>
 795 |    </ul>
 796 |   </aside>
 797 |   <aside class="dfn-panel" data-for="term-for-http-cross-origin-resource-policy">
 798 |    <a href="https://fetch.spec.whatwg.org/#http-cross-origin-resource-policy">https://fetch.spec.whatwg.org/#http-cross-origin-resource-policy</a><b>Referenced in:</b>
 799 |    <ul>
 800 |     <li><a href="#ref-for-http-cross-origin-resource-policy">1.2. TL;DR</a>
 801 |     <li><a href="#ref-for-http-cross-origin-resource-policy①">2.1.2. Dynamic Subresources</a>
 802 |    </ul>
 803 |   </aside>
 804 |   <aside class="dfn-panel" data-for="term-for-http-cross-origin-resource-policy">
 805 |    <a href="https://fetch.spec.whatwg.org/#http-cross-origin-resource-policy">https://fetch.spec.whatwg.org/#http-cross-origin-resource-policy</a><b>Referenced in:</b>
 806 |    <ul>
 807 |     <li><a href="#ref-for-http-cross-origin-resource-policy">1.2. TL;DR</a>
 808 |     <li><a href="#ref-for-http-cross-origin-resource-policy①">2.1.2. Dynamic Subresources</a>
 809 |    </ul>
 810 |   </aside>
 811 |   <aside class="dfn-panel" data-for="term-for-origin-header">
 812 |    <a href="https://fetch.spec.whatwg.org/#origin-header">https://fetch.spec.whatwg.org/#origin-header</a><b>Referenced in:</b>
 813 |    <ul>
 814 |     <li><a href="#ref-for-origin-header">1.2. TL;DR</a>
 815 |    </ul>
 816 |   </aside>
 817 |   <aside class="dfn-panel" data-for="term-for-http-x-content-type-options">
 818 |    <a href="https://fetch.spec.whatwg.org/#http-x-content-type-options">https://fetch.spec.whatwg.org/#http-x-content-type-options</a><b>Referenced in:</b>
 819 |    <ul>
 820 |     <li><a href="#ref-for-http-x-content-type-options">2.1. Subresources</a>
 821 |    </ul>
 822 |   </aside>
 823 |   <aside class="dfn-panel" data-for="term-for-cross-origin-opener-policies">
 824 |    <a href="https://html.spec.whatwg.org/multipage/origin.html#cross-origin-opener-policies">https://html.spec.whatwg.org/multipage/origin.html#cross-origin-opener-policies</a><b>Referenced in:</b>
 825 |    <ul>
 826 |     <li><a href="#ref-for-cross-origin-opener-policies">1.2. TL;DR</a>
 827 |     <li><a href="#ref-for-cross-origin-opener-policies①">2.1. Subresources</a>
 828 |    </ul>
 829 |   </aside>
 830 |   <aside class="dfn-panel" data-for="term-for-cross-origin-opener-policies">
 831 |    <a href="https://html.spec.whatwg.org/multipage/origin.html#cross-origin-opener-policies">https://html.spec.whatwg.org/multipage/origin.html#cross-origin-opener-policies</a><b>Referenced in:</b>
 832 |    <ul>
 833 |     <li><a href="#ref-for-cross-origin-opener-policies">1.2. TL;DR</a>
 834 |     <li><a href="#ref-for-cross-origin-opener-policies①">2.1. Subresources</a>
 835 |    </ul>
 836 |   </aside>
 837 |   <aside class="dfn-panel" data-for="term-for-concept-origin-opaque">
 838 |    <a href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin-opaque">https://html.spec.whatwg.org/multipage/origin.html#concept-origin-opaque</a><b>Referenced in:</b>
 839 |    <ul>
 840 |     <li><a href="#ref-for-concept-origin-opaque">2.1. Subresources</a>
 841 |    </ul>
 842 |   </aside>
 843 |   <aside class="dfn-panel" data-for="term-for-concept-origin">
 844 |    <a href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin">https://html.spec.whatwg.org/multipage/origin.html#concept-origin</a><b>Referenced in:</b>
 845 |    <ul>
 846 |     <li><a href="#ref-for-concept-origin">1. Introduction</a>
 847 |    </ul>
 848 |   </aside>
 849 |   <aside class="dfn-panel" data-for="term-for-dom-window-postmessage-options">
 850 |    <a href="https://html.spec.whatwg.org/multipage/web-messaging.html#dom-window-postmessage-options">https://html.spec.whatwg.org/multipage/web-messaging.html#dom-window-postmessage-options</a><b>Referenced in:</b>
 851 |    <ul>
 852 |     <li><a href="#ref-for-dom-window-postmessage-options">2.2.3. Documents Expecting Cross-Origin Openers</a>
 853 |    </ul>
 854 |   </aside>
 855 |   <aside class="dfn-panel" data-for="term-for-the-x-frame-options-header">
 856 |    <a href="https://html.spec.whatwg.org/multipage/browsing-the-web.html#the-x-frame-options-header">https://html.spec.whatwg.org/multipage/browsing-the-web.html#the-x-frame-options-header</a><b>Referenced in:</b>
 857 |    <ul>
 858 |     <li><a href="#ref-for-the-x-frame-options-header">2.1. Subresources</a>
 859 |    </ul>
 860 |   </aside>
 861 |   <aside class="dfn-panel" data-for="term-for-section-7.1.4">
 862 |    <a href="https://tools.ietf.org/html/rfc7231#section-7.1.4">https://tools.ietf.org/html/rfc7231#section-7.1.4</a><b>Referenced in:</b>
 863 |    <ul>
 864 |     <li><a href="#ref-for-section-7.1.4">2.1. Subresources</a>
 865 |    </ul>
 866 |   </aside>
 867 |   <h3 class="no-num no-ref heading settled" id="index-defined-elsewhere"><span class="content">Terms defined by reference</span><a class="self-link" href="#index-defined-elsewhere"></a></h3>
 868 |   <ul class="index">
 869 |    <li>
 870 |     <a data-link-type="biblio">[CSP3]</a> defines the following terms:
 871 |     <ul>
 872 |      <li><span class="dfn-paneled" id="term-for-header-content-security-policy">content-security-policy</span>
 873 |      <li><span class="dfn-paneled" id="term-for-frame-ancestors">frame-ancestors</span>
 874 |      <li><span class="dfn-paneled" id="term-for-sandbox">sandbox</span>
 875 |     </ul>
 876 |    <li>
 877 |     <a data-link-type="biblio">[ecma262]</a> defines the following terms:
 878 |     <ul>
 879 |      <li><span class="dfn-paneled" id="term-for-sec-sharedarraybuffer-objects">SharedArrayBuffer</span>
 880 |     </ul>
 881 |    <li>
 882 |     <a data-link-type="biblio">[FETCH]</a> defines the following terms:
 883 |     <ul>
 884 |      <li><span class="dfn-paneled" id="term-for-corb">cross-origin read blocking</span>
 885 |      <li><span class="dfn-paneled" id="term-for-http-cross-origin-resource-policy">cross-origin resource policy</span>
 886 |      <li><span class="dfn-paneled" id="term-for-http-cross-origin-resource-policy①">cross-origin-resource-policy</span>
 887 |      <li><span class="dfn-paneled" id="term-for-origin-header">origin</span>
 888 |      <li><span class="dfn-paneled" id="term-for-http-x-content-type-options">x-content-type-options</span>
 889 |     </ul>
 890 |    <li>
 891 |     <a data-link-type="biblio">[HTML]</a> defines the following terms:
 892 |     <ul>
 893 |      <li><span class="dfn-paneled" id="term-for-cross-origin-opener-policies">cross-origin opener policy</span>
 894 |      <li><span class="dfn-paneled" id="term-for-cross-origin-opener-policies①">cross-origin-opener-policy</span>
 895 |      <li><span class="dfn-paneled" id="term-for-concept-origin-opaque">opaque origin</span>
 896 |      <li><span class="dfn-paneled" id="term-for-concept-origin">origin</span>
 897 |      <li><span class="dfn-paneled" id="term-for-dom-window-postmessage-options">postMessage(message, options)</span>
 898 |      <li><span class="dfn-paneled" id="term-for-the-x-frame-options-header">x-frame-options</span>
 899 |     </ul>
 900 |    <li>
 901 |     <a data-link-type="biblio">[rfc7231]</a> defines the following terms:
 902 |     <ul>
 903 |      <li><span class="dfn-paneled" id="term-for-section-7.1.4">vary</span>
 904 |     </ul>
 905 |   </ul>
 906 |   <h2 class="no-num no-ref heading settled" id="references"><span class="content">References</span><a class="self-link" href="#references"></a></h2>
 907 |   <h3 class="no-num no-ref heading settled" id="normative"><span class="content">Normative References</span><a class="self-link" href="#normative"></a></h3>
 908 |   <dl>
 909 |    <dt id="biblio-csp3">[CSP3]
 910 |    <dd>Mike West. <a href="https://www.w3.org/TR/CSP3/">Content Security Policy Level 3</a>. 15 October 2018. WD. URL: <a href="https://www.w3.org/TR/CSP3/">https://www.w3.org/TR/CSP3/</a>
 911 |    <dt id="biblio-fetch">[FETCH]
 912 |    <dd>Anne van Kesteren. <a href="https://fetch.spec.whatwg.org/">Fetch Standard</a>. Living Standard. URL: <a href="https://fetch.spec.whatwg.org/">https://fetch.spec.whatwg.org/</a>
 913 |    <dt id="biblio-html">[HTML]
 914 |    <dd>Anne van Kesteren; et al. <a href="https://html.spec.whatwg.org/multipage/">HTML Standard</a>. Living Standard. URL: <a href="https://html.spec.whatwg.org/multipage/">https://html.spec.whatwg.org/multipage/</a>
 915 |    <dt id="biblio-rfc2119">[RFC2119]
 916 |    <dd>S. Bradner. <a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>. March 1997. Best Current Practice. URL: <a href="https://tools.ietf.org/html/rfc2119">https://tools.ietf.org/html/rfc2119</a>
 917 |    <dt id="biblio-rfc7231">[RFC7231]
 918 |    <dd>R. Fielding, Ed.; J. Reschke, Ed.. <a href="https://httpwg.org/specs/rfc7231.html">Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content</a>. June 2014. Proposed Standard. URL: <a href="https://httpwg.org/specs/rfc7231.html">https://httpwg.org/specs/rfc7231.html</a>
 919 |   </dl>
 920 |   <h3 class="no-num no-ref heading settled" id="informative"><span class="content">Informative References</span><a class="self-link" href="#informative"></a></h3>
 921 |   <dl>
 922 |    <dt id="biblio-application-principals">[APPLICATION-PRINCIPALS]
 923 |    <dd>Chris Palmer. <a href="https://noncombatant.org/application-principals/">Isolating Application-Defined Principals</a>. 2018-06-19. URL: <a href="https://noncombatant.org/application-principals/">https://noncombatant.org/application-principals/</a>
 924 |    <dt id="biblio-coi-threat-model">[COI-THREAT-MODEL]
 925 |    <dd>Artur Janc. <a href="https://arturjanc.com/coi-threat-model.pdf">Notes on the threat model of cross-origin isolation</a>. 2020-12. URL: <a href="https://arturjanc.com/coi-threat-model.pdf">https://arturjanc.com/coi-threat-model.pdf</a>
 926 |    <dt id="biblio-coop-by-default">[COOP-BY-DEFAULT]
 927 |    <dd>Mike West. <a href="https://github.com/mikewest/coop-by-default">COOP By Default</a>. URL: <a href="https://github.com/mikewest/coop-by-default">https://github.com/mikewest/coop-by-default</a>
 928 |    <dt id="biblio-coop-coep">[COOP-COEP]
 929 |    <dd>Eiji Kitamura. <a href="https://web.dev/coop-coep/">Making your website 'cross-origin isolated' using COOP and COEP</a>. URL: <a href="https://web.dev/coop-coep/">https://web.dev/coop-coep/</a>
 930 |    <dt id="biblio-coop-coep-explained">[COOP-COEP-EXPLAINED]
 931 |    <dd>Artur Janc; Charlie Reis; Anne van Kesteren. <a href="https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k/edit">COOP and COEP Explained</a>. 2020-01-03. URL: <a href="https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k/edit">https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k/edit</a>
 932 |    <dt id="biblio-cross-origin-embedder-policy">[CROSS-ORIGIN-EMBEDDER-POLICY]
 933 |    <dd>Mike West. <a href="https://wicg.github.io/cross-origin-embedder-policy/">Cross-Origin Embedder Policy</a>. 2020-09-29. URL: <a href="https://wicg.github.io/cross-origin-embedder-policy/">https://wicg.github.io/cross-origin-embedder-policy/</a>
 934 |    <dt id="biblio-cross-origin-opener-policy-explainer">[CROSS-ORIGIN-OPENER-POLICY-EXPLAINER]
 935 |    <dd>Charlie Reis; Camille Lamy. <a href="https://docs.google.com/document/d/1Ey3MXcLzwR1T7aarkpBXEwP7jKdd2NvQdgYvF8_8scI/edit">Cross-Origin-Opener-Policy Explainer</a>. 2020-05-24. URL: <a href="https://docs.google.com/document/d/1Ey3MXcLzwR1T7aarkpBXEwP7jKdd2NvQdgYvF8_8scI/edit">https://docs.google.com/document/d/1Ey3MXcLzwR1T7aarkpBXEwP7jKdd2NvQdgYvF8_8scI/edit</a>
 936 |    <dt id="biblio-embedding-requires-opt-in">[EMBEDDING-REQUIRES-OPT-IN]
 937 |    <dd>Mike West. <a href="https://github.com/mikewest/embedding-requires-opt-in">Embedding Should Require Explicit Opt-In</a>. URL: <a href="https://github.com/mikewest/embedding-requires-opt-in">https://github.com/mikewest/embedding-requires-opt-in</a>
 938 |    <dt id="biblio-long-term-mitigations">[LONG-TERM-MITIGATIONS]
 939 |    <dd>Charlie Reis. <a href="https://docs.google.com/document/d/1dnUjxfGWnvhQEIyCZb0F2LmCZ9gio6ogu2rhMGqi6gY/edit">Long-Term Web Browser Mitigations for Spectre</a>. 2019-03-04. URL: <a href="https://docs.google.com/document/d/1dnUjxfGWnvhQEIyCZb0F2LmCZ9gio6ogu2rhMGqi6gY/edit">https://docs.google.com/document/d/1dnUjxfGWnvhQEIyCZb0F2LmCZ9gio6ogu2rhMGqi6gY/edit</a>
 940 |    <dt id="biblio-oopif">[OOPIF]
 941 |    <dd>Chromium. <a href="https://www.chromium.org/developers/design-documents/oop-iframes">Out-of-Process iframes (OOPIFs)</a>. URL: <a href="https://www.chromium.org/developers/design-documents/oop-iframes">https://www.chromium.org/developers/design-documents/oop-iframes</a>
 942 |    <dt id="biblio-orb">[ORB]
 943 |    <dd>Anne van Kesteren. <a href="https://github.com/annevk/orb">Opaque Response Blocking (ORB, aka CORB++)</a>. URL: <a href="https://github.com/annevk/orb">https://github.com/annevk/orb</a>
 944 |    <dt id="biblio-post-spectre-rethink">[POST-SPECTRE-RETHINK]
 945 |    <dd>Chromium. <a href="https://chromium.googlesource.com/chromium/src/+/master/docs/security/side-channel-threat-model.md">Post-Spectre Threat Model Re-Think</a>. URL: <a href="https://chromium.googlesource.com/chromium/src/+/master/docs/security/side-channel-threat-model.md">https://chromium.googlesource.com/chromium/src/+/master/docs/security/side-channel-threat-model.md</a>
 946 |    <dt id="biblio-project-fission">[PROJECT-FISSION]
 947 |    <dd>Mozilla. <a href="https://wiki.mozilla.org/Project_Fission">Project Fission</a>. URL: <a href="https://wiki.mozilla.org/Project_Fission">https://wiki.mozilla.org/Project_Fission</a>
 948 |    <dt id="biblio-resource-isolation-policy">[RESOURCE-ISOLATION-POLICY]
 949 |    <dd>XSLeaks Wiki. <a href="https://xsleaks.dev/docs/defenses/isolation-policies/resource-isolation/">Resource Isolation Policy</a>. URL: <a href="https://xsleaks.dev/docs/defenses/isolation-policies/resource-isolation/">https://xsleaks.dev/docs/defenses/isolation-policies/resource-isolation/</a>
 950 |    <dt id="biblio-safely-reviving-shared-memory">[SAFELY-REVIVING-SHARED-MEMORY]
 951 |    <dd>Anne van Kesteren. <a href="https://hacks.mozilla.org/2020/07/safely-reviving-shared-memory/">Safely reviving shared memory</a>. 2020-07-21. URL: <a href="https://hacks.mozilla.org/2020/07/safely-reviving-shared-memory/">https://hacks.mozilla.org/2020/07/safely-reviving-shared-memory/</a>
 952 |    <dt id="biblio-site-isolation">[SITE-ISOLATION]
 953 |    <dd>Chromium. <a href="https://www.chromium.org/Home/chromium-security/site-isolation">Site Isolation</a>. URL: <a href="https://www.chromium.org/Home/chromium-security/site-isolation">https://www.chromium.org/Home/chromium-security/site-isolation</a>
 954 |    <dt id="biblio-spectre">[SPECTRE]
 955 |    <dd>Paul Kocher; et al. <a href="https://ieeexplore.ieee.org/document/8835233">Spectre Attacks: Exploiting Speculative Execution</a>. May 2019. URL: <a href="https://ieeexplore.ieee.org/document/8835233">https://ieeexplore.ieee.org/document/8835233</a>
 956 |    <dt id="biblio-spectre-shaped-web">[SPECTRE-SHAPED-WEB]
 957 |    <dd>Anne van Kesteren. <a href="https://docs.google.com/presentation/d/1sadl7jTrBIECCanuqSrNndnDr82NGW1yyuXFT1Dc7SQ/edit#slide=id.p">A Spectre-shaped Web</a>. 2019-04-16. URL: <a href="https://docs.google.com/presentation/d/1sadl7jTrBIECCanuqSrNndnDr82NGW1yyuXFT1Dc7SQ/edit#slide=id.p">https://docs.google.com/presentation/d/1sadl7jTrBIECCanuqSrNndnDr82NGW1yyuXFT1Dc7SQ/edit#slide=id.p</a>
 958 |    <dt id="biblio-spilling-the-beans">[SPILLING-THE-BEANS]
 959 |    <dd>Artur Janc; Mike West. <a href="https://www.arturjanc.com/cross-origin-infoleaks.pdf">How do we Stop Spilling The Beans Across Origins?</a>. 2018-05-16. URL: <a href="https://www.arturjanc.com/cross-origin-infoleaks.pdf">https://www.arturjanc.com/cross-origin-infoleaks.pdf</a>
 960 |   </dl>
 961 |   <h2 class="no-num no-ref heading settled" id="issues-index"><span class="content">Issues Index</span><a class="self-link" href="#issues-index"></a></h2>
 962 |   <div style="counter-reset:issue">
 963 |    <div class="issue"> <a data-link-type="biblio" href="#biblio-coi-threat-model">[COI-THREAT-MODEL]</a> spells out more implications. Bring them in here for more nuance.<a href="#issue-340f57a5"> ↵ </a></div>
 964 |    <div class="issue"> Describe these mitigations in more depth, swiping liberally from <a href="https://docs.google.com/document/d/1JBUaX1xSOZRxBk5bRNZWgnzyJoCQC52TIRokACBSmGc/edit?resourcekey=0-cZ7da6v52enjwRSsp_tLyQ">Notes on the threat model of <em>cross-origin isolation</em></a>, <a href="https://docs.google.com/document/d/1zDlfvfTJ_9e8Jdc8ehuV4zMEu9ySMCiTGMS9y0GU92k/edit">Safely reviving shared memory</a>, etc.<a href="#issue-db0b0c7b"> ↵ </a></div>
 965 |    <div class="issue"> If we implemented more granular bindings for CORP headers (along
 966 |     the lines of <code>Cross-Origin-Resource-Policy: https://trusted.example</code>), we could avoid this
 967 |     tradeoff entirely. <a href="https://github.com/whatwg/fetch/issues/760">&lt;https://github.com/whatwg/fetch/issues/760></a><a href="#issue-ae9c0065"> ↵ </a></div>
 968 |    <div class="issue"> Find some links.<a href="#issue-94179e25"> ↵ </a></div>
 969 |    <div class="issue"> Find some links.<a href="#issue-94179e25①"> ↵ </a></div>
 970 |    <div class="issue"> Find some links.<a href="#issue-94179e25②"> ↵ </a></div>
 971 |   </div>
 972 | <script>/* script-dfn-panel */
 973 | 
 974 | document.body.addEventListener("click", function(e) {
 975 |     var queryAll = function(sel) { return [].slice.call(document.querySelectorAll(sel)); }
 976 |     // Find the dfn element or panel, if any, that was clicked on.
 977 |     var el = e.target;
 978 |     var target;
 979 |     var hitALink = false;
 980 |     while(el.parentElement) {
 981 |         if(el.tagName == "A") {
 982 |             // Clicking on a link in a <dfn> shouldn't summon the panel
 983 |             hitALink = true;
 984 |         }
 985 |         if(el.classList.contains("dfn-paneled")) {
 986 |             target = "dfn";
 987 |             break;
 988 |         }
 989 |         if(el.classList.contains("dfn-panel")) {
 990 |             target = "dfn-panel";
 991 |             break;
 992 |         }
 993 |         el = el.parentElement;
 994 |     }
 995 |     if(target != "dfn-panel") {
 996 |         // Turn off any currently "on" or "activated" panels.
 997 |         queryAll(".dfn-panel.on, .dfn-panel.activated").forEach(function(el){
 998 |             el.classList.remove("on");
 999 |             el.classList.remove("activated");
1000 |         });
1001 |     }
1002 |     if(target == "dfn" && !hitALink) {
1003 |         // open the panel
1004 |         var dfnPanel = document.querySelector(".dfn-panel[data-for='" + el.id + "']");
1005 |         if(dfnPanel) {
1006 |             dfnPanel.classList.add("on");
1007 |             var rect = el.getBoundingClientRect();
1008 |             dfnPanel.style.left = window.scrollX + rect.right + 5 + "px";
1009 |             dfnPanel.style.top = window.scrollY + rect.top + "px";
1010 |             var panelRect = dfnPanel.getBoundingClientRect();
1011 |             var panelWidth = panelRect.right - panelRect.left;
1012 |             if(panelRect.right > document.body.scrollWidth && (rect.left - (panelWidth + 5)) > 0) {
1013 |                 // Reposition, because the panel is overflowing
1014 |                 dfnPanel.style.left = window.scrollX + rect.left - (panelWidth + 5) + "px";
1015 |             }
1016 |         } else {
1017 |             console.log("Couldn't find .dfn-panel[data-for='" + el.id + "']");
1018 |         }
1019 |     } else if(target == "dfn-panel") {
1020 |         // Switch it to "activated" state, which pins it.
1021 |         el.classList.add("activated");
1022 |         el.style.left = null;
1023 |         el.style.top = null;
1024 |     }
1025 | 
1026 | });
1027 | </script>
1028 | 


--------------------------------------------------------------------------------