Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New Glossary: Cross-Origin isolation #37287

Open
skyclouds2001 opened this issue Dec 20, 2024 · 7 comments
Open

New Glossary: Cross-Origin isolation #37287

skyclouds2001 opened this issue Dec 20, 2024 · 7 comments
Labels
needs triage Triage needed by staff and/or partners. Automatically applied when an issue is opened.

Comments

@skyclouds2001
Copy link
Contributor

skyclouds2001 commented Dec 20, 2024

MDN URL

none

What specific section or headline is this issue about?

No response

What information was incorrect, unhelpful, or incomplete?

add a glossary for Cross-Origin isolation, see #36780

What did you expect to see?

same as above

Do you have any supporting links, references, or citations?

https://blog.stackblitz.com/posts/cross-browser-with-coop-coep/ a link for reference

Do you have anything more you want to share?

No response

@skyclouds2001 skyclouds2001 added the needs triage Triage needed by staff and/or partners. Automatically applied when an issue is opened. label Dec 20, 2024
@hamishwillee
Copy link
Collaborator

hamishwillee commented Dec 20, 2024

I'm supportive of this idea. If we do this it should take much of the information from https://developer.mozilla.org/en-US/docs/Web/API/Window/crossOriginIsolated , and link that and the Worker equivalent. It should also link the https://blog.stackblitz.com/posts/cross-browser-with-coop-coep/ , which while a little out of data w.r.t. browser support is a really good overview of the practical implications of all this stuff for real users at scale.

My only concern is what we leave in the Window.crossOriginIsolated topic. Duplication is not ideal. Also note that many of the places that link to Window.crossOriginIsolated would now link to the glossary.

I think we just move most of the information.

@wbamberg
Copy link
Collaborator

I am planning to write something long-form about this whole issue (xs leaks, Spectre, COOP, COEP etc). I'm not that convinced a glossary entry is quite the right vehicle as it's kind of a complicated topic. But since I'm not going to get around to this any time soon, so I'm not going to stop anyone writing a glossary entry in the meantime.

(In general I'm not sure when we should decide to make something a glossary entry or something else. I think the ideal glossary entry is something pretty short that really defines some piece of technical jargon, especially then it's cross-technology. Sometimes I think we have glossary entries that ought to be longer-form, and e.g. I just deleted the "clickjacking" glossary entry in favour of a guide page, and will probably try to do the same with the XSS page. But maybe I shouldn't? Maybe we should have short glossary pages that point to long-form explanations? I'm not sure.)

@Josh-Cena
Copy link
Member

I agree Glossary should only be for concepts that cannot be adequately placed anywhere else. For example, "ASCII", "Git", or "OOP" are good candidates. However, we should prefer to colocate concepts with their references wherever possible to avoid making glossary bloat up infinitely.

@hamishwillee
Copy link
Collaborator

Those are reasonable views to take, and philosophically I agree.

Pragmatically I think it would be good now to reduce the duplication, and a glossary topic is a reasonable solution for that. When/if a longer form topic exists in the HTTP space for this, it could replace such a glossary topic - provided it still provides a concise link end point for what cross-origin isolation means.

Or we could wait.

@Josh-Cena
Copy link
Member

I would think crossOriginIsolated is a good enough source to link to, personally.

@skyclouds2001
Copy link
Contributor Author

I would think crossOriginIsolated is a good enough source to link to, personally.

But note it is two pages: Window.crossOriginIsolated and WorkerGlobalScope.crossOriginIsolated, where infomation are duplicated between the two properties.

The cross-origin isolation glossary page can store info about how to be cross-origin isolation and features managed by cross-origin isolation, etc. Then those info could remove from the two pages and simply and a link to the glossary page. So this can reduce the duplicated info.

see also #6856

@Josh-Cena
Copy link
Member

But note it is two pages: Window.crossOriginIsolated and WorkerGlobalScope.crossOriginIsolated, where infomation are duplicated between the two properties.

It doesn't have to. Many Window pages are more complete than WorkerGlobalScope counterparts. We can simply say "for more information, see the Window page instead"; I doubt people are reading the WorkerGlobalScope ones without checking the Window ones anyway.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs triage Triage needed by staff and/or partners. Automatically applied when an issue is opened.
Projects
None yet
Development

No branches or pull requests

4 participants