Make COOP+COEP do not imply crossOriginIsolated.

ArthurSonzogni · ArthurSonzogni · commit 590a022c5396 · 2020-10-23T15:52:44.000+02:00
The [specification] currently requires [COOP] + [COEP] to give access to crossOriginIsolated capabilities like SharedArrayBuffer. Some platforms can't easily support multiple processes (like Android Webview). Therefore, they can't really support crossOriginIsolated. However the are no strong reasons for them not to enforce COEP (and maybe COOP) when their associated headers are present. It would be great enforcing COEP (and maybe COOP) on all platforms, desptie the lack of crossOriginIsolated capabilities. This patch makes the specification to allow (instead of requiring) platform to set the crossOriginIsolated flag when both COOP and COEP are used. Setting crossOriginIsolated becomes platform dependent. In exchange, we can enforce COEP (and COOP) in a non platform dependent way, without conflicting with the specification about crossOriginIsolated. [Bug]: #6060 [specification]: https://html.spec.whatwg.org/#cross-origin-opener-policies [COOP]: https://html.spec.whatwg.org/#cross-origin-opener-policy [COEP]: https://html.spec.whatwg.org/#coep
diff --git a/source b/source
@@ -80909,9 +80909,9 @@ interface <dfn>BarProp</dfn> {
    <dt>"<dfn><code data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code></dfn>"</dt>
    <dd>
     <p>This behaves the same as "<code data-x="coop-same-origin">same-origin</code>", with the
-    addition that it sets the (new) <span>top-level browsing context</span>'s <span data-x="tlbc
-    group">group</span>'s <span data-x="bcg cross-origin isolated">cross-origin isolated</span> to
-    true.</p>
+    addition that, on platforms supporting it, it allows setting the (new) <span>top-level browsing
+    context</span>'s <span data-x="tlbc group">group</span>'s <span
+    data-x="bcg cross-origin isolated">cross-origin isolated</span> to true.</p>
 
     <p class="note">"<code data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>" cannot
     be directly set via the `<code
@@ -80920,6 +80920,12 @@ interface <dfn>BarProp</dfn> {
     data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</span>: <span
     data-x="coop-same-origin">same-origin</span></code>` and `<code
     data-x=""><span>Cross-Origin-Embedder-Policy</span>: require-corp</code>` together.</p>
+
+    <p class="note">"<code data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>" <b>
+    doesn't require</b> setting the <span>top-level browsing context</span>'s <span data-x="tlbc
+    group">group</span>'s <span data-x="bcg cross-origin isolated">cross-origin isolated</span> to
+    true. Whether this is sufficient or not is platform-specific. This is only a necessary
+    condition. It is not guaranteed to be sufficient.</p>
    </dd>
   </dl>
 
