From 0567e38a2342ca2a18fda19b7338b7f8c9afacc8 Mon Sep 17 00:00:00 2001
From: Yoav Weiss Other risks from same-origin applications include: Same-origin requests fetching the document's content — could be mitigated through
- Fetch Metadata filtering.
Same-origin framing - could be mitigated through X-Frame-Options
or CSP
frame-ancestors
.
JavaScript accessible cookies - can be mitigated by ensuring all cookies are httponly
.
localStorage access to sensitive data.
Service worker installation.
Cache API manipulation or access to sensitive data.
postMessage
or BroadcastChannel
messaging that
exposes sensitive information.
Autofill which may not require user interaction for same-origin documents.
If activeDocumentCOOPValue is "noopener-allow-popups
" and
- responseCOOPValue is "same-origin-allow-popups
" or "unsafe-none
", then return false.
If activeDocumentCOOPValue is "noopener-allow-popups
", then:
If responseCOOPValue is "unsafe-none
", then return false.
If responseCOOPValue is "same-origin-allow-popups
" and
+ activeDocumentNavigationOrigin is same origin with
+ responseOrigin, then return false.
If all of the following are true:
@@ -143647,6 +143657,9 @@ INSERT INTERFACES HERE