Make COOP+COEP not imply cross-origin isolated

ArthurSonzogni · web-flow · commit cbcf6ac32e1b · 2021-01-06T18:35:15.000+01:00
This contains 3 changes: --- The specification currently requires COOP+COEP to give access to cross-origin isolated capabilities like SharedArrayBuffer. Some platforms can't easily support multiple processes (like Android Webview). Therefore, they can't really support cross-origin isolated. However the are no strong reasons for them not to enforce COEP and COEP when their associated headers are present. This patch changes the specification to allow (instead of requiring) platforms to grant the cross-origin isolated capability when both COOP and COEP are used. The browsing context group's cross-origin-isolation mode becomes a tri-state: - none (not COOP+COEP) - logical (COOP+COEP, without granting cross-origin isolated) - concrete (COOP+COEP, with granting cross-origin isolated) Closes #6060. --- When setting document.domain, both properties were previously checked: 1. agent-cluster's cross-origin-isolation mode. 2. agent-cluster's origin-keyed. The first has been removed, since it already implies the second. --- When serializing a SharedArrayBuffer, check the cross-origin isolated capability instead of the cross-origin isolation mode. This was an oversight from when the cross-origin isolated capability was first introduced.
diff --git a/source b/source
@@ -8085,16 +8085,16 @@ interface <dfn>DOMStringList</dfn> {
       <p>If ! <span>IsSharedArrayBuffer</span>(<var>value</var>) is true, then:
 
       <ol>
-       <li><p>Let <var>agentCluster</var> be the <span>surrounding agent</span>'s
-       <span>agent cluster</span>.</p></li>
-
        <li>
-        <p>If <var>agentCluster</var>'s <span>cross-origin isolated</span> is false, then throw a
-        <span>"<code>DataCloneError</code>"</span> <code>DOMException</code>.</p>
+        <p>If the <span>current settings object</span>'s <span
+        data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin isolated
+        capability</span> is false, then throw a <span>"<code>DataCloneError</code>"</span>
+        <code>DOMException</code>.</p>
 
         <p class="note">This check is only needed when serializing (and not when deserializing) as
-        <span>cross-origin isolated</span> cannot change over time and a
-        <code>SharedArrayBuffer</code> cannot leave an <span>agent cluster</span>.</p>
+        the <span data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin
+        isolated capability</span> cannot change over time and a <code>SharedArrayBuffer</code>
+        cannot leave an <span>agent cluster</span>.</p>
        </li>
 
        <li><p>If <var>forStorage</var> is true, then throw a
@@ -77984,9 +77984,6 @@ console.assert(iframeWindow.frameElement === null);
   keys</span> to <span data-x="agent cluster">agent clusters</span>). User agents are responsible
   for collecting agent clusters when it is deemed that nothing can access them anymore.</p>
 
-  <p>A <span>browsing context group</span> has a <dfn data-x="bcg cross-origin
-  isolated">cross-origin isolated</dfn> boolean. It is initially false.</p>
-
   <p>A <span>browsing context group</span> has an associated <dfn>historical agent cluster key
   map</dfn>, which is a <span data-x="ordered map">map</span> of <span
   data-x="origin">origins</span> to <span data-x="agent cluster key">agent cluster keys</span>. This
@@ -77997,6 +77994,41 @@ console.assert(iframeWindow.frameElement === null);
   <p class="note">The <span>historical agent cluster key map</span> only ever gains entries over the
   lifetime of the browsing context group.</p>
 
+  <p>A <span>browsing context group</span> has a <dfn
+  data-x="bcg-cross-origin-isolation">cross-origin isolation mode</dfn>, which is a
+  <span>cross-origin isolation mode</span>. It is initially "<code
+  data-x="cross-origin-isolation-none">none</code>".</p>
+
+  <p>A <dfn>cross-origin isolation mode</dfn> is one of three possible values: "<dfn><code
+  data-x="cross-origin-isolation-none">none</code></dfn>", "<dfn><code
+  data-x="cross-origin-isolation-logical">logical</code></dfn>", or "<dfn><code
+  data-x="cross-origin-isolation-concrete">concrete</code></dfn>".</p>
+
+  <div class="note">
+   <p>"<code data-x="cross-origin-isolation-logical">logical</code>" and "<code
+   data-x="cross-origin-isolation-concrete">concrete</code>" are similar. They are both used for
+   <span data-x="browsing context group">browsing context groups</span> where:</p>
+
+   <ul>
+    <li><p>every top-level <span>Document</span> has `<code data-x=""><span
+    data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</span>: <span
+    data-x="coop-same-origin">same-origin</span></code>`, and</p></li>
+
+    <li><p>every <span>Document</span> has `<code
+    data-x=""><span>Cross-Origin-Embedder-Policy</span>: <span
+    data-x="coep-require-corp">require-corp</span></code>`.</p></li>
+   </ul>
+
+   <p>On some platforms, it is difficult to provide the security properties required to grant safe
+   access to the APIs gated by the <span
+   data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin isolated
+   capability</span>. As a result, only "<code
+   data-x="cross-origin-isolation-concrete">concrete</code>" can grant access that capability.
+   "<code data-x="cross-origin-isolation-logical">logical</code>" is used on platform not supporting
+   this capability, where various restrictions imposed by cross-origin isolation will still apply,
+   but the capability is not granted.</p>
+  </div>
+
   <p>To <dfn data-x="creating a new browsing context group">create a new browsing context
   group</dfn>, run these steps:</p>
 
@@ -79645,11 +79677,18 @@ interface <dfn>BarProp</dfn> {
 
      <dt>The <span data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin
      isolated capability</span></dt>
-     <dd><p>Return the logical conjunction of <var>realm</var>'s <span>agent cluster</span>'s
-     <span>cross-origin isolated</span> and whether <var>window</var>'s <span
-     data-x="concept-document-window">associated <code>Document</code></span> is <span>allowed to
-     use</span> the "<code data-x="cross-origin-isolated-feature">cross-origin-isolated</code>"
-     feature.</p></dd>
+     <dd>
+      <p>Return true if both of the following hold, and false otherwise:</p>
+      <ol>
+       <li><p><var>realm</var>'s <span>agent cluster</span>'s <span
+       data-x="agent-cluster-cross-origin-isolation">cross-origin-isolation mode</span> is "<code
+       data-x="cross-origin-isolation-concrete">concrete</code>", and</p></li>
+
+       <li><p><var>window</var>'s <span data-x="concept-document-window">associated
+       <code>Document</code></span> is <span>allowed to use</span> the "<code
+       data-x="cross-origin-isolated-feature">cross-origin-isolated</code>" feature.</p></li>
+      </ol>
+     </dd>
     </dl>
    </li>
 
@@ -80424,9 +80463,6 @@ interface <dfn>BarProp</dfn> {
    a registrable domain suffix of and is not equal to</span> <var>effectiveDomain</var>, then throw
    a <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
-   <li><p>If the <span>surrounding agent</span>'s <span>agent cluster</span>'s <span>cross-origin
-   isolated</span> is true, then return.</p></li>
-
    <li><p>If the <span>surrounding agent</span>'s <span>agent cluster</span>'s <span>is
    origin-keyed</span> is true, then return.</p></li>
 
@@ -80534,10 +80570,11 @@ interface <dfn>BarProp</dfn> {
   and the <code data-x="dom-originAgentCluster">originAgentCluster</code> getter will always return
   true.</p>
 
-  <p class="note">Similarly, <code>Document</code>s in a <span>cross-origin isolated</span>
-  <span>agent cluster</span> are automatically origin-keyed. The `<code
-  data-x="http-origin-agent-cluster">Origin-Agent-Cluster</code>` header might be useful as an
-  additional hint to implementations about resource allocation, since the `<code
+  <p class="note">Similarly, <code>Document</code>s whose <span>agent cluster</span>'s
+  <span data-x="agent-cluster-cross-origin-isolation">cross-origin isolation mode</span> is not
+  "<code data-x="cross-origin-isolation-none">none</code>" are automatically origin-keyed. The
+  `<code data-x="http-origin-agent-cluster">Origin-Agent-Cluster</code>` header might be useful as
+  an additional hint to implementations about resource allocation, since the `<code
   data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</code>` and
   `<code>Cross-Origin-Embedder-Policy</code>` headers used to achieve cross-origin isolation are
   more about ensuring that everything in the same address space opts in to being there. But adding
@@ -80901,8 +80938,9 @@ interface <dfn>BarProp</dfn> {
    <dd>
     <p>This behaves the same as "<code data-x="coop-same-origin">same-origin</code>", with the
     addition that it sets the (new) <span>top-level browsing context</span>'s <span data-x="tlbc
-    group">group</span>'s <span data-x="bcg cross-origin isolated">cross-origin isolated</span> to
-    true.</p>
+    group">group</span>'s <span data-x="bcg-cross-origin-isolation">cross-origin isolation
+    mode</span> to one of "<code data-x="cross-origin-isolation-logical">logical</code>" or "<code
+    data-x="cross-origin-isolation-concrete">concrete</code>".</p>
 
     <p class="note">"<code data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>" cannot
     be directly set via the `<code
@@ -81308,10 +81346,21 @@ interface <dfn>BarProp</dfn> {
    <li><p>Let <var>newBrowsingContext</var> be the result of <span>creating a new top-level browsing
    context</span>.</p></li>
 
-   <li><p>If <var>navigationCOOP</var>'s <span data-x="coop-struct-value">value</span> is "<code
-   data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>", then set
-   <var>newBrowsingContext</var>'s <span data-x="tlbc group">group</span>'s <span data-x="bcg
-   cross-origin isolated">cross-origin isolated</span> to true.</p></li>
+   <li>
+    <p>If <var>navigationCOOP</var>'s <span data-x="coop-struct-value">value</span> is "<code
+    data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>", then set
+    <var>newBrowsingContext</var>'s <span data-x="tlbc group">group</span>'s <span
+    data-x="bcg-cross-origin-isolation">cross-origin isolation mode</span> to either "<code
+    data-x="cross-origin-isolation-logical">logical</code>" or "<code
+    data-x="cross-origin-isolation-concrete">concrete</code>". The choice of which is
+    <span>implementation-defined</span>.</p>
+
+    <p class="note">It is difficult on some platforms to provide the security properties required by
+    the <span data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin
+    isolated capability</span>. "<code data-x="cross-origin-isolation-concrete">concrete</code>"
+    grants access to it and "<code data-x="cross-origin-isolation-logical">logical</code>" does
+    not.</p>
+   </li>
 
    <li>
     <p>If <var>sandboxFlags</var> is not empty, then:</p>
@@ -86778,8 +86827,8 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
     <p>Contains various <code>Window</code> objects which can potentially reach each other, either
     directly or by using <code data-x="dom-document-domain">document.domain</code>.</p>
 
-    <p>If the encompassing <span>agent cluster</span>'s <span>cross-origin isolated</span> is true,
-    then all the <code>Window</code> objects will be <span>same origin</span>, can reach each other
+    <p>If the encompassing <span>agent cluster</span>'s <span>is origin-keyed</span> is true, then
+    all the <code>Window</code> objects will be <span>same origin</span>, can reach each other
     directly, and <code data-x="dom-document-domain">document.domain</code> will no-op.</p>
 
     <p class="note">Two <code>Window</code> objects that are <span>same origin</span> can be in
@@ -86862,8 +86911,10 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
 
   <div w-nodev>
 
-  <p>An <span>agent cluster</span> has an associated <dfn>cross-origin isolated</dfn> (a boolean),
-  which is initially false.</p>
+  <p>An <span>agent cluster</span> has an associated <dfn
+  data-x="agent-cluster-cross-origin-isolation">cross-origin isolation mode</dfn>, which is a
+  <span>cross-origin isolation mode</span>. It is initially "<code
+  data-x="cross-origin-isolation-none">none</code>".</p>
 
   <p>An <span>agent cluster</span> has an associated <dfn>is origin-keyed</dfn> (a boolean), which
   is initially false.</p>
@@ -86891,8 +86942,9 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
 
    <li><p>Let <var>key</var> be <var>site</var>.</p></li>
 
-   <li><p>If <var>group</var>'s <span data-x="bcg cross-origin isolated">cross-origin
-   isolated</span> is true, then set <var>key</var> to <var>origin</var>.</p></li>
+   <li><p>If <var>group</var>'s <span data-x="bcg-cross-origin-isolation">cross-origin isolation
+   mode</span> is not "<code data-x="cross-origin-isolation-none">none</code>", then set
+   <var>key</var> to <var>origin</var>.</p></li>
 
    <li><p>Otherwise, if <var>group</var>'s <span>historical agent cluster key
    map</span>[<var>origin</var>] <span data-x="map exists">exists</span>, then set <var>key</var> to
@@ -86917,8 +86969,10 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
     <ol>
      <li><p>Let <var>agentCluster</var> be a new <span>agent cluster</span>.</p></li>
 
-     <li><p>Set <var>agentCluster</var>'s <span>cross-origin isolated</span> to <var>group</var>'s
-     <span data-x="bcg cross-origin isolated">cross-origin isolated</span>.</p></li>
+     <li><p>Set <var>agentCluster</var>'s <span
+     data-x="agent-cluster-cross-origin-isolation">cross-origin isolation mode</span> to
+     <var>group</var>'s <span data-x="bcg-cross-origin-isolation">cross-origin isolation
+     mode</span>.</p></li>
 
      <li><p>Set <var>agentCluster</var>'s <span>is origin-keyed</span> to true if <var>key</var>
      equals <var>origin</var>; otherwise false.</p></li>
@@ -87299,8 +87353,9 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
    href="https://github.com/tc39/ecma262/issues/1357">tc39/ecma262#1357</a>.</span></p></li>
 
    <li>
-    <p>If <var>agent</var>'s <span>agent cluster</span>'s <span>cross-origin isolated</span> is
-    false, then:</p>
+    <p>If <var>agent</var>'s <span>agent cluster</span>'s <span
+    data-x="agent-cluster-cross-origin-isolation">cross-origin isolation mode</span> is "<code
+    data-x="cross-origin-isolation-none">none</code>", then:</p>
 
     <ol>
      <li><p>Let <var>global</var> be <var>realm</var>'s <span data-x="concept-realm-global">global
@@ -99220,8 +99275,11 @@ interface <dfn>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope</span> {
       <p>If <var>worker global scope</var>'s <span
       data-x="concept-WorkerGlobalScope-embedder-policy">embedder policy</span> is "<code
       data-x="coep-require-corp">require-corp</code>" and <var>is shared</var> is true, then set
-      <var>agent</var>'s <span>agent cluster</span>'s <span>cross-origin isolated</span> to
-      true.</p>
+      <var>agent</var>'s <span>agent cluster</span>'s <span
+      data-x="agent-cluster-cross-origin-isolation">cross-origin isolation mode</span> to "<code
+      data-x="cross-origin-isolation-logical">logical</code>" or "<code
+      data-x="cross-origin-isolation-concrete">concrete</code>". The one chosen is
+      <span>implementation-defined</span>.</p>
 
       <p class="XXX">This really ought to be set when the agent cluster is created, which requires a
       redesign of this section.</p>
@@ -99234,8 +99292,9 @@ interface <dfn>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope</span> {
 
      <li><p>Set <var>worker global scope</var>'s <span
      data-x="concept-WorkerGlobalScope-cross-origin-isolated-capability">cross-origin isolated
-     capability</span> to <var>agent</var>'s <span>agent cluster</span>'s <span>cross-origin
-     isolated</span>.</p></li>
+     capability</span> to true if <var>agent</var>'s <span>agent cluster</span>'s <span
+     data-x="agent-cluster-cross-origin-isolation">cross-origin isolation mode</span> is "<code
+     data-x="cross-origin-isolation-concrete">concrete</code>".</p></li>
 
      <li><p>If <var>is shared</var> is false and <var>owner</var>'s <span
      data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin isolated
