Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Changing the Origin-Agent-Cluster default, aka deprecating document.domain #601

Closed
otherdaniel opened this issue Dec 9, 2021 · 3 comments
Closed

Changing the Origin-Agent-Cluster default, aka deprecating document.domain #601

otherdaniel opened this issue Dec 9, 2021 · 3 comments
Labels
position: positive venue: WHATWG Specifications in a WHATWG Workstream

Comments

@otherdaniel
Copy link

Request for Mozilla Position on an Emerging Web Specification

This would be a modification to https://html.spec.whatwg.org/multipage/origin.html#origin-isolation, specifying that an absent (or malformed) header is to be treated like the ?1 case. Plus corresponding editorial changes in create and initialize a Document object. This has the effects of:

  1. Turning Origin-Agent-Cluster: from an opt-in into an opt-out mechanism.
  2. Modifying usage of document.domain to relax same-origin restrictions becomes an opt-in feature. (You'd have to explicitly set Origin-Agent-Cluster: ?0to keep using it.)
  3. WIth origin-keyed agent clustering being allowable by default, browsers should be able to origin-isolate many more pages. (Or at least, have document.domain no longer be in the way.)

Other information

TAG discussion on the subject: w3ctag/design-reviews#564
HTML Spec on Origin-Agent-Cluster: https://html.spec.whatwg.org/multipage/origin.html#origin-isolation
HTML Spec on document.domain: https://html.spec.whatwg.org/#relaxing-the-same-origin-restriction
HTML Spec on initialising a document: https://html.spec.whatwg.org/multipage/browsing-the-web.html#initialise-the-document-object

Chromium plans to issue a deprecation warning for mutating document.domain soon-ish, with the goal of paving the way for this.
@annevk annevk added the venue: WHATWG Specifications in a WHATWG Workstream label Dec 13, 2021
@annevk
Copy link
Contributor

annevk commented Dec 13, 2021

Thanks for asking @otherdaniel!

I think this is worth prototyping, similar to Origin-Keyed Agent Clusters itself: https://mozilla.github.io/standards-positions/#domenic-origin-isolation. While there is some potential for website breakage, those websites can address this by setting the HTTP header. Meanwhile, all other websites benefit from the improved security boundary.

I don't think a dashboard entry is needed for this.

I'll keep this open for a bit to see if there are any other comments.

@bholley
Copy link
Collaborator

bholley commented Dec 15, 2021

I am strongly in favor of deprecating document.domain.

@annevk
Copy link
Contributor

annevk commented Dec 17, 2021

worth prototyping it is.

@annevk annevk closed this as completed Dec 17, 2021
@otherdaniel otherdaniel mentioned this issue Feb 14, 2022
Open
@zcorpan zcorpan changed the title Request for Position: Changing the Origin-Agent-Cluster default, aka deprecating document.domain. Changing the Origin-Agent-Cluster default, aka deprecating document.domain Oct 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
position: positive venue: WHATWG Specifications in a WHATWG Workstream
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@zcorpan @bholley @annevk @otherdaniel