Add the cross-origin isolated primitive

A top-level navigation response with Cross-Origin-Opener-Policy set to same-origin and Cross-Origin-Embedder-Policy set to require-corp will create a cross-origin isolated browsing context group. And all agent clusters therein will be cross-origin isolated as well (shared and service workers can still not be, as they sit on the side).

This change also:

* Gates SharedArrayBuffer exposure behind that primitive for web compatibility reasons.
* Gates SharedArrayBuffer sharing behind that primitive.
* Exposes it through self.crossOriginIsolated.
* Makes document.domain return before it mutates the origin.
* Makes agent clusters keyed on origin.

Tests:

* web-platform-tests/wpt#17719
* web-platform-tests/wpt#17760
* web-platform-tests/wpt#17761
* web-platform-tests/wpt#17802
* web-platform-tests/wpt#17909
* web-platform-tests/wpt#18543
* web-platform-tests/wpt#20116
* web-platform-tests/wpt#22358

Closes #4732. Closes #5122. Closes #5444.

Follow-up: #5435.

Author: annevk

source

@@ -8002,13 +8002,24 @@ interface <dfn>DOMStringList</dfn> {
       <p>If ! <span>IsSharedArrayBuffer</span>(<var>value</var>) is true, then:
 
       <ol>
+       <li><p>Let <var>agentCluster</var> be the <span>surrounding agent</span>'s
+       <span>agent cluster</span>.</p></li>
+
+       <li>
+        <p>If <var>agentCluster</var>'s <span>cross-origin isolated</span> is false, then throw a
+        <span>"<code>DataCloneError</code>"</span> <code>DOMException</code>.</p>
+
+        <p class="note">This check is only needed when serializing (and not when deserializing) as
+        <span>cross-origin isolated</span> cannot change over time and a
+        <code>SharedArrayBuffer</code> cannot leave an <span>agent cluster</span>.</p>
+       </li>
+
        <li><p>If <var>forStorage</var> is true, then throw a
        <span>"<code>DataCloneError</code>"</span> <code>DOMException</code>.</p></li>
 
        <li><p>Set <var>serialized</var> to { [[Type]]: "SharedArrayBuffer", [[ArrayBufferData]]:
        <var>value</var>.[[ArrayBufferData]], [[ArrayBufferByteLength]]: <var>size</var>,
-       [[AgentCluster]]: the <span>current Realm Record</span>'s corresponding <span>agent
-       cluster</span> }.</p></li>
+       [[AgentCluster]]: <var>agentCluster</var> }.</p></li>
       </ol>
      </li>
 
@@ -77229,10 +77240,6 @@ console.assert(iframeWindow.frameElement === null);
   <p>A <span>browsing context group</span> has a <dfn data-x="bcg cross-origin
   isolated">cross-origin isolated</dfn> boolean. It is initially false.</p>
 
-  <p class="XXX">The impact of <span data-x="bcg cross-origin isolated">cross-origin
-  isolated</span> is under discussion in <a href="https://github.com/whatwg/html/pull/4734">issue
-  #4734</a>.</p>
-
   <p>To <dfn data-x="creating a new browsing context group">create a new browsing context
   group</dfn>, run these steps:</p>
 
@@ -79650,6 +79657,9 @@ interface <dfn>BarProp</dfn> {
    a registrable domain suffix of and is not equal to</span> <var>effectiveDomain</var>, then throw
    a <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
+   <li><p>If the <span>surrounding agent</span>'s <span>agent cluster</span>'s <span>cross-origin
+   isolated</span> is true, then return.</p></li>
+
    <li><p>Set this <code>Document</code> object's <span>origin</span>'s <span
    data-x="concept-origin-domain">domain</span> to the result of <span data-x="host
    parser">parsing</span> the given value.</p></li>
@@ -86819,6 +86829,10 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
     <p>Contains various <code>Window</code> objects which can potentially reach each other, either
     directly or by using <code data-x="dom-document-domain">document.domain</code>.</p>
 
+    <p>If the encompassing <span>agent cluster</span>'s <span>cross-origin isolated</span> is true,
+    then all the <code>Window</code> objects will be <span>same origin</span>, can reach each other,
+    and <code data-x="dom-document-domain">document.domain</code> will no-op.</p>
+
     <p class="note">Two <code>Window</code> objects that are <span>same origin</span> can be in
     different <span data-x="similar-origin window agent">similar-origin window agents</span>, for
     instance if they are each in their own <span>browsing context group</span>.</p>
@@ -86897,51 +86911,44 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
   ensure that web developers see interoperable behavior with regard to shared memory, even in the
   face of varying and changing user agent process models.</p>
 
+  <p>An <span>agent cluster</span> has an associated <dfn>cross-origin isolated</dfn> (a boolean),
+  which is initially false.</p>
+
+
   <div w-nodev>
 
   <hr>
 
   <p>The following defines the allocation of the <span data-x="agent cluster">agent clusters</span>
   of <span data-x="similar-origin window agent">similar-origin window agents</span>.</p>
 
-  <p>An <dfn>agent cluster key</dfn> is a <span>site</span>.</p>
-
-  <p class="XXX"><a href="https://github.com/whatwg/html/pull/4734">whatwg/html #4734</a> is
-  expected to widen <span>agent cluster key</span> (but not <span>site</span>) to encompass all
-  <span data-x="concept-origin-tuple">tuple origins</span>.</p>
-
-  <p>To <dfn data-x="obtain-agent-cluster-key">obtain an agent cluster key</dfn>, given an origin
-  <var>origin</var>, return the result of <span data-x="obtain a site">obtaining a site</span> with
-  <var>origin</var>.</p>
+  <p>An <dfn>agent cluster key</dfn> is a <span>site</span> or <span
+  data-x="concept-origin-tuple">tuple origin</span> whose <span
+  data-x="concept-origin-host">host</span>'s <span>registrable domain</span> is non-null. I.e., an
+  <span>agent cluster key</span> can be any <span>origin</span>.</p>
 
   <p>To <dfn data-x="obtain-similar-origin-window-agent">obtain a similar-origin window agent</dfn>,
   given an <span>origin</span> <var>origin</var> and <span>browsing context group</span>
   <var>group</var>, run these steps:</p>
 
   <ol>
-   <li><p>Let <var>clusterKey</var> be the result of <span
-   data-x="obtain-agent-cluster-key" data-export="">obtaining an agent cluster key</span> given
-   <var>origin</var>.</p></li>
-
-   <li><p>Let <var>agentCluster</var> be the result of <span
-   data-x="obtain-browsing-agent-cluster">obtaining a browsing context agent cluster</span> with
-   <var>group</var> and <var>clusterKey</var>.</p></li>
+   <li><p>Let <var>clusterKey</var> be the result of <span data-x="obtain a site">obtaining a
+   site</span> with <var>origin</var>.</p></li>
 
-   <li><p>Return the single <span>similar-origin window agent</span> contained in
-   <var>agentCluster</var>.</p></li>
-  </ol>
-
-  <p>To <dfn data-x="obtain-browsing-agent-cluster">obtain a browsing context agent cluster</dfn>,
-  given a <span>browsing context group</span> <var>group</var> and <span>agent cluster key</span>
-  <var>key</var>, run these steps:</p>
+   <li><p>If <var>group</var>'s <span data-x="bcg cross-origin isolated">cross-origin
+   isolated</span> is true, then set <var>clusterKey</var> to <var>origin</var>.</p></li>
 
-  <ol>
    <li>
     <p>If <var>group</var>'s <span>agent cluster map</span>[<var>key</var>] <span data-x="map
     exists">does not exist, then:</span></p>
+
     <ol>
      <li><p>Let <var>agentCluster</var> be a new <span>agent cluster</span>.</p></li>
 
+     <li><p>If <var>group</var>'s <span data-x="bcg cross-origin isolated">cross-origin
+     isolated</span> is true, then set <var>agentCluster</var>'s <span>cross-origin isolated</span>
+     to true.</p></li>
+
      <li><p>Add the result of <span data-x="create an agent">creating an agent</span>, given false,
      to <var>agentCluster</var>.</p></li>
 
@@ -86950,7 +86957,8 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
     </ol>
    </li>
 
-   <li><p>Return <var>group</var>'s <span>agent cluster map</span>[<var>key</var>].</p></li>
+   <li><p>Return the single <span>similar-origin window agent</span> contained in <var>group</var>'s
+   <span>agent cluster map</span>[<var>key</var>].</p></li>
   </ol>
 
   <p class="note">This means that there is only one <span>similar-origin window agent</span> per
@@ -87304,6 +87312,19 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
    is not yet defined in the JavaScript specification; see <a
    href="https://github.com/tc39/ecma262/issues/1357">tc39/ecma262#1357</a>.</span></p></li>
 
+   <li><p>Let <var>crossOriginIsolated</var> be <var>agent</var>'s <span>agent cluster</span>'s
+   <span>cross-origin isolated</span>.</p></li>
+
+   <li>
+    <p>If <var>crossOriginIsolated</var> is false, then remove the own property with name "<code
+    data-x="">SharedArrayBuffer</code>" from <var>realm</var>'s <span>global object</span>.</p>
+
+    <p class="note">This is done for compatibility with web content and there is some hope that this
+    can be removed in the future. Web developers can still get at the constructor through
+    <code data-x="">new WebAssembly.Memory({ shared:true, initial:0, maximum:0
+    }).buffer.constructor</code>.</p>
+   </li>
+
    <li><p>Return <var>realm execution context</var>.</p></li>
   </ol>
 
@@ -92109,6 +92130,7 @@ interface mixin <dfn>DocumentAndElementEventHandlers</dfn> {
 interface mixin <dfn>WindowOrWorkerGlobalScope</dfn> {
   [Replaceable] readonly attribute USVString <span data-x="dom-origin">origin</span>;
   readonly attribute boolean <span data-x="dom-isSecureContext">isSecureContext</span>;
+  readonly attribute boolean <span data-x="dom-crossOriginIsolated">crossOriginIsolated</span>;
 
   // base64 utility methods
   DOMString <span data-x="dom-btoa">btoa</span>(DOMString data);
@@ -92132,13 +92154,21 @@ interface mixin <dfn>WindowOrWorkerGlobalScope</dfn> {
 
   <dl class="domintro">
    <dt>self . <code subdfn data-x="dom-isSecureContext">isSecureContext</code></dt>
-
    <dd><p>Returns whether or not this global object represents a <span>secure context</span>. <ref
    spec=SECURE-CONTEXTS></p></dd>
 
    <dt>self . <code subdfn data-x="dom-origin">origin</code></dt>
-
    <dd><p>Returns the global object's <span>origin</span>, serialized as string.</p></dd>
+
+   <dt>self . <code subdfn data-x="dom-crossOriginIsolated">crossOriginIsolated</code></dt>
+   <dd>
+    <p>Returns the <span>surrounding agent</span>'s <span>agent cluster</span>'s <span>cross-origin
+    isolated</span>.</p>
+
+    <p>(This value depends on the <code data-x="">Cross-Origin-Opener-Policy</code> and <code
+    data-x="">Cross-Origin-Embedder-Policy</code> HTTP response headers and determines whether
+    <code>SharedArrayBuffer</code> can be used with <code data-x="">postMessage()</code> APIs.)</p>
+   </dd>
   </dl>
 
   <div class="example">
@@ -92169,6 +92199,10 @@ document.body.appendChild(frame)</code></pre>
   data-x="concept-settings-object-origin">origin</span>, <span data-x="serialization of an
   origin">serialized</span>.</p>
 
+  <p>The <dfn data-x="dom-crossOriginIsolated"><code>crossOriginIsolated</code></dfn> attribute's
+  getter must return the <span>surrounding agent</span>'s <span>agent cluster</span>'s
+  <span>cross-origin isolated</span>.</p>
+
   </div>
 
 
@@ -99061,6 +99095,17 @@ interface <dfn>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope</span> {
      <span data-x="obtain an embedder policy">obtaining an embedder policy</span> from
      <var>response</var>.</p></li>
 
+     <li>
+      <p>If <var>worker global scope</var>'s <span
+      data-x="concept-WorkerGlobalScope-embedder-policy">embedder policy</span> is "<code
+      data-x="coep-require-corp">require-corp</code>" and <var>is shared</var> is true, then set
+      <var>agent</var>'s <span>agent cluster</span>'s <span>cross-origin isolated</span> to
+      true.</p>
+
+      <p class="XXX">This really ought to be set when the agent cluster is created, which requires a
+      redesign of this section.</p>
+     </li>
+
      <li><p>If the result of <span data-x="check a global object's embedder policy">checking a
      global object's embedder policy</span> with <var>worker global scope</var>, <var>owner</var>,
      and <var>response</var> is false, then set <var>response</var> to a <span>network