Sketch out a CORP-only mode.

[mikewest]

A straw-proposal to flesh out the discussion in whatwg/html#4175 (comment).

[annevk]

My main worry here is still that depending on how things shake out long term this could effectively be CORS, without it being clear and without the additional credentials opt-in we require there. (I.e., this is as simple to configure as Access-Control-Allow-Origin: * while potentially having greater risk.)

[annevk]

This should explain why the auxiliary navigating the non-auxiliary is not a problem.

[mikewest]

Well, hrm. I guess that actually is a problem without process isolation. attacker.site could open attacker.site in a new window, the latter could navigate the former to victim.site, and sadness would ensue. Perhaps this should instead ask whether we're navigating within a unit of related browsing contexts? Or whatever the new hotness is? "User agent cluster"?

[annevk]

Without process isolation on the agent cluster level, right.

I think the navigation checks only make sense when the flag is set on a document. And that flag only makes sense if COOP is also set. (COOP guaranteeing process isolation on the browsing context group level.)

[annevk]

New hotness background:

• https://html.spec.whatwg.org/#integration-with-the-javascript-agent-cluster-formalism
• https://html.spec.whatwg.org/#groupings-of-browsing-contexts
• Imperative allocation of agent clusters html#4361

[annevk]

Is this what we want? I kinda feel like an erroneous policy should fail closed when this TBD boolean is set.

[mikewest]

I want to be able to support new values for this header in the future (for example, a list of origins a la #760). I'm happy to tighten this up, but I'd like to figure out how to do so in a forward-compatible way.

[annevk]

I guess the question then is what the migration strategy has to be. In equivalent cases we've failed for potentially new syntax and new servers will have to update (e.g., all the recentish and proposed CORS changes).

[annevk]

9ff55e4 from PR #1030 addressed this.