Camille Lamy

I am writing on behalf of Chrome Security OWP, and we would like to deprecate this in Chrome.

Yes this is the same kind of checks. While changing Agent Cluster keying is the better long term solution, this requires both usage of document.domain and WASM module sharing to...

The problem is that COI might not be enough. IIUC the attack surface, cross-origin iframes might be impacted as well. That does not fit in our current threat model for...

Our reasoning is abased on the fact that most of the information about CORP mentions that if you set it to cross-origin, cross-origin resources can read your resource. Eg. MDN:...

Thanks! I like the direction this proposal is going. In particular, removing `domainLookupStart` and `domainLookupEnd` from TAO is a good thing, as they relate to the state to the user's...

One possibility could be to apply the restrictions only when COEP is enabled - i.e. create a COOP of same-origin-allow-popups-plus-coep which enables crossOriginIsolated. Then we can treat the fact that...

@arturjanc I am talking about both changes. Basically, the idea is that we create a new value of COOP, `same-origin-allow-popups-plus-coep`. This is set when a top level document sends a...

Hey folks, I have put together an [explainer](https://github.com/camillelamy/explainers/blob/master/coi-with-popups.md) for allowing COOP same-origin-allow-popups + COEP to make pages crossOriginIsolated. @annevk @domenic I'd appreciate your feedback!

Coming back to the issue of the security impact of this, we are unfortunately in a position where our security against cross-site data leaks is best-effort . Spectre attacks are...

The problem for changing the COOP spec is that there is no way for the browser to distinguish between "I used document.write to open a popup without a referrer" and...