New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 904351 link

Starred by 4 users

Issue metadata

Status: Started
Owner:
Buried. Ping if important.
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 3
Type: Feature

Blocking:
issue 900995



Sign in to add a comment

Enable Feature Policy control over setting `document.domain`.

Project Member Reported by mkwst@chromium.org, Nov 12

Issue description

`document.domain` is an unfortunate API with security implications (among others, it makes true origin isolation difficult to deploy (hence "Site Isolation"). We should give developers the ability to opt-out of it, with the goal of deprecating the feature over time, similar conceptually to sync XHR.
 
Components: Blink>FeaturePolicy Blink>SecurityFeature
Cc: mbolohan@chromium.org creis@chromium.org alex...@chromium.org nasko@chromium.org
Components: Internals>Sandbox>SiteIsolation
Nice!  Thanks for pushing forward with this!

I was under the impression that Feature Policy is document-wide rather than origin-wide, though.  Is that the case here?

If it's not origin-wide, then it's possible for another document in the same origin to still modify document.domain, and thus we wouldn't be able to safely use origin-level process isolation (as opposed to Site Isolation).  Would be great if I'm mistaken, though.  :)
Cc: vogelheim@chromium.org
creis@: This feature policy toggle is, indeed, document-centric. I don't think you'll be able to use it for origin-level process isolation until we're also shipping origin policy's feature-policy integration.

vogelheim@ has a behind-a-flag implementation of that up at https://chromium-review.googlesource.com/c/chromium/src/+/1202202. It would be great if y'all could collaborate with him to make sure the data can be exposed at whatever point during navigation you'll need it in order to make decisions about where to commit things.
Blocking: 900995

Sign in to add a comment