Make cross-origin-isolation an implementation-defined consequence of COOP + COEP?

[ArthurSonzogni]

The specification requires COOP + COEP to give access to crossOriginIsolated capabilities like SharedArrayBuffer.

Some platforms can't easily support multiple processes (like Android Webview). Therefore, they can't really support crossOriginIsolated. However the are no strong reasons for them not to enforce COEP (and maybe COOP) when their associated headers are present.

We would like to enforce COEP (and maybe COOP) on all platforms, despite the lack of crossOriginIsolated capabilities.

Should we make the specification to allow (instead of requiring) platform to set the crossOriginIsolated flag when COOP+COEP are used?

This would make crossOriginIsolated to be platform dependent. In exchange, we could enforce COEP (and COOP) in a non platform dependent way, without conflicting with the specification about crossOriginIsolated.

FYI: @whatwg/cross-origin-isolation @annevk @domenic @mikewest @camillelamy @hemeryar

[annevk]

I think that's reasonable. It definitely seems preferable to not supporting COOP/COEP. I wonder if as part of this we should spell it out a bit more that an agent cluster with its cross-origin isolated flag set cannot share a process with an agent cluster that does not have that set (or is from a different site), but that's all rather architecture specific. Hmm.

[ArthurSonzogni]

Thanks for your reply!

I think I will try updating the specifications myself and see what feedback I will get.
This will be my first time trying to edit the spec, so it might take some days. It's good starting with something simple like this.