Define the [CrossOriginIsolated] extended attribute

Web IDL currently defines a [SecureContext] extended attribute that
governs whether or not a given construct is exposed within a given
context. This patch defines a similar [CrossOriginIsolated] attribute
to govern exposure based on cross-origin isolation.

This supports the broader Securer Contexts proposal
(https://github.com/mikewest/securer-contexts), which aims to guide
spec authors to combat threats we've started paying more attention to
over the last few years.

Closes #875.

Co-authored-by: Domenic Denicola <[email protected]>

Author: mikewest

index.bs

@@ -994,15 +994,17 @@ The relevant language binding determines how interfaces correspond to constructs
 in the language.
 
 The following extended attributes are applicable to interfaces:
+[{{CrossOriginIsolated}}],
 [{{Exposed}}],
 [{{Global}}],
-[{{LegacyWindowAlias}}],
 [{{LegacyFactoryFunction}}],
 [{{LegacyNoInterfaceObject}}],
-[{{LegacyOverrideBuiltIns}}], and
+[{{LegacyOverrideBuiltIns}}],
+[{{LegacyWindowAlias}}], and
 [{{SecureContext}}].
 
 The following extended attributes are applicable to [=partial interfaces=]:
+[{{CrossOriginIsolated}}],
 [{{Exposed}}],
 [{{LegacyOverrideBuiltIns}}], and
 [{{SecureContext}}].
@@ -1245,7 +1247,7 @@ in the <a href="#es-namespaces">ECMAScript binding</a>.
 Note that unlike [=interfaces=] or [=dictionaries=], [=interface mixins=] do not create types.
 
 Of the extended attributes defined in this specification,
-only the [{{Exposed}}] and [{{SecureContext}}] extended attributes
+only the [{{CrossOriginIsolated}}], [{{Exposed}}], and [{{SecureContext}}] extended attributes
 are applicable to [=interface mixins=].
 
 An <dfn>includes statement</dfn> is a definition
@@ -1770,7 +1772,8 @@ on which they appear.  It is language binding specific whether
 </div>
 
 The following extended attributes are applicable to constants:
-[{{Exposed}}],
+[{{CrossOriginIsolated}}],
+[{{Exposed}}], and
 [{{SecureContext}}].
 
 <pre class="grammar" id="prod-Const">
@@ -1951,8 +1954,9 @@ interface will be stringified to the value of the attribute.  See
 
 The following [=extended attributes=]
 are applicable to regular and static attributes:
+[{{CrossOriginIsolated}}],
 [{{Exposed}}],
-[{{SameObject}}],
+[{{SameObject}}], and
 [{{SecureContext}}].
 
 The following [=extended attributes=]
@@ -2403,11 +2407,12 @@ type=] that has a [=dictionary type=] in its [=flattened member types=].
 </div>
 
 The following extended attributes are applicable to operations:
+[{{CrossOriginIsolated}}],
 [{{Default}}],
 [{{Exposed}}],
-[{{NewObject}}],
-[{{SecureContext}}],
-[{{LegacyUnforgeable}}].
+[{{LegacyUnforgeable}}],
+[{{NewObject}}], and
+[{{SecureContext}}].
 
 The <dfn>method steps</dfn> of an operation |operation| should be introduced using text of the form
 “The <code>|operation|(<var ignore>arg1</var>, <var ignore>arg2</var>, ...)</code> method
@@ -4266,7 +4271,8 @@ must not have a
 [=asynchronously iterable declaration=].
 
 The following extended attributes are applicable to [=iterable declarations=]:
-[{{Exposed}}],
+[{{CrossOriginIsolated}}],
+[{{Exposed}}], and
 [{{SecureContext}}].
 
 <pre class="grammar" id="prod-Iterable">
@@ -4456,7 +4462,8 @@ An [=interface=] with an [=asynchronously iterable declaration=] and its [=inher
 must not have a [=maplike declaration=], [=setlike declaration=], or [=iterable declaration=].
 
 The following extended attributes are applicable to [=asynchronously iterable declarations=]:
-[{{Exposed}}],
+[{{CrossOriginIsolated}}],
+[{{Exposed}}], and
 [{{SecureContext}}].
 
 Issue: these [=extended attributes=] are not currently taken into account.
@@ -4707,7 +4714,7 @@ The order that members appear in has significance for property enumeration in th
 
 Note that unlike interfaces or dictionaries, namespaces do not create types.
 
-Of the extended attributes defined in this specification, only the [{{Exposed}}] and [{{SecureContext}}] extended attributes are applicable to namespaces.
+Of the extended attributes defined in this specification, only the [{{CrossOriginIsolated}}], [{{Exposed}}], and [{{SecureContext}}] extended attributes are applicable to namespaces.
 
 [=Namespaces=] must be annotated with the [{{Exposed}}] [=extended attribute=].
 
@@ -9094,6 +9101,91 @@ for the specific requirements that the use of
 </div>
 
 
+<h4 id="CrossOriginIsolated" extended-attribute lt="CrossOriginIsolated">[CrossOriginIsolated]</h4>
+
+If the [{{CrossOriginIsolated}}] [=extended attribute=] appears on an
+[=interface=],
+[=partial interface=],
+[=interface mixin=],
+[=partial interface mixin=],
+[=callback interface=],
+[=namespace=],
+[=partial namespace=],
+[=interface member=],
+[=interface mixin member=], or
+[=namespace member=],
+it indicates that the construct is [=exposed=] only within an environment whose
+[=environment settings object/cross-origin isolated capability=] is true. The
+[{{CrossOriginIsolated}}] extended attribute must not be used on any other construct.
+
+The [{{CrossOriginIsolated}}] extended attribute must [=takes no arguments|take no arguments=].
+
+If [{{CrossOriginIsolated}}] appears on an [=overloaded=] [=operation=],
+then it must appear on all overloads.
+
+The [{{CrossOriginIsolated}}] [=extended attribute=] must not be specified both on
+
+* an [=interface member=] and its [=interface=] or [=partial interface=];
+* an [=interface mixin member=] and its [=interface mixin=] or [=partial interface mixin=];
+* a [=namespace member=] and its [=namespace=] or [=partial namespace=].
+
+Note: This is because adding the [{{CrossOriginIsolated}}] [=extended attribute=] on a [=member=]
+when its containing definition is also annotated with the [{{CrossOriginIsolated}}]
+[=extended attribute=] does not further restrict the exposure of the [=member=].
+
+An [=interface=] without the [{{CrossOriginIsolated}}] [=extended attribute=]
+must not [=interface/inherit=] from another interface
+that does specify [{{CrossOriginIsolated}}].
+
+<div class="example">
+
+    The following [=IDL fragment=] defines an interface with one [=operation=] that is executable
+    from all contexts, and two which are executable only from cross-origin isolated contexts.
+
+    <pre highlight="webidl">
+        [Exposed=Window]
+        interface ExampleFeature {
+          // This call will succeed in all contexts.
+          Promise &lt;Result&gt; calculateNotSoSecretResult();
+
+          // This operation will not be exposed to a non-isolated context. In such a context,
+          // there will be no "calculateSecretResult" property on ExampleFeature.prototype.
+          [CrossOriginIsolated] Promise&lt;Result&gt; calculateSecretResult();
+
+          // The same applies here: the attribute will not be exposed to a non-isolated context,
+          // and in such a context there will be no "secretBoolean" property on
+          // ExampleFeature.prototype.
+          [CrossOriginIsolated] readonly attribute boolean secretBoolean;
+        };
+
+        // HighResolutionTimer will not be exposed in a non-isolated context, nor will its members.
+        // In such a context, there will be no "HighResolutionTimer" property on Window.
+        [Exposed=Window, CrossOriginIsolated]
+        interface HighResolutionTimer {
+          DOMHighResTimeStamp getHighResolutionTime();
+        };
+
+        // The interface mixin members defined below will never be exposed in a non-isolated
+        // context, regardless of whether the interface that includes them is. That is, in
+        // non-isolated context, there will be no "snap" property on ExampleFeature.prototype.
+        [CrossOriginIsolated]
+        interface mixin Snapshotable {
+          Promise&lt;boolean&gt; snap();
+        };
+        ExampleFeature includes Snapshotable;
+
+        // On the other hand, the following interface mixin members will be exposed to a
+        // non-isolated context when included by a host interface that doesn't have the
+        // [CrossOriginIsolated] extended attribute. That is, in a non-isolated context, there will
+        // be a "log" property on ExampleFeature.prototype.
+        interface mixin Loggable {
+          Promise&lt;boolean&gt; log();
+        };
+        ExampleFeature includes Loggable;
+    </pre>
+</div>
+
+
 <h4 id="Default" extended-attribute lt="Default">[Default]</h4>
 
 If the [{{Default}}] [=extended attribute=] appears on a [=regular operation=], then it indicates
@@ -9336,20 +9428,53 @@ Otherwise, it is the [=host interface=]'s [=exposure set=].
 
     1.  If |realm|.\[[GlobalObject]] does not implement an [=interface=]
         that is in |construct|'s [=exposure set=], then return false.
-    1.  If |construct| is [=available in both secure and non-secure contexts=],
-        then return true.
-    1.  If the [=relevant settings object=] of |realm|.\[[GlobalObject]] is a [=secure context=],
+    1.  If |realm|'s [=Realm/settings object=] is not a [=secure context=], and |construct| is
+        [=conditionally exposed=] on [{{SecureContext}}], then return false.
+    1.  If |realm|'s [=Realm/settings object=]'s
+        [=environment settings object/cross-origin isolated capability=] is false, and |construct|
+        is [=conditionally exposed=] on [{{CrossOriginIsolated}}], then return false.
+    1.  Return true.
+</div>
+
+<div algorithm>
+    An [=interface=], [=callback interface=], [=namespace=], or [=member=] |construct| is
+    <dfn id="dfn-conditionally-exposed" export>conditionally exposed</dfn> on a given
+    [=extended attribute=] |exposure condition| if the following steps return true:
+
+    1.  Assert: |construct| is an [=interface=], [=callback interface=], [=namespace=],
+        [=interface member=], [=interface mixin member=], or [=namespace member=].
+    1.  Let |H| be |construct|'s [=host interface=] if |construct| is an [=interface mixin member=],
+        or null otherwise.
+    1.  If |construct| is an [=interface member=], [=interface mixin member=], or
+        [=namespace member=], then:
+        1.  If the |exposure condition| [=extended attribute=] is specified on |construct|,
+            then return true.
+        1.  Otherwise, set |construct| to be the
+            [=interface=], [=partial interface=],
+            [=interface mixin=], [=partial interface mixin=],
+            [=namespace=], or [=partial namespace=]
+            |construct| is declared on.
+    1.  If |construct| is a [=partial interface=], [=partial interface mixin=], or
+        [=partial namespace=], then:
+        1.  If the |exposure condition| [=extended attribute=] is specified on |construct|,
+            then return true.
+        1.  Otherwise, set |construct| to be the original [=interface=], [=interface mixin=], or
+            [=namespace=] definition of |construct|.
+    1.  If |construct| is an [=interface mixin=], then:
+        1.  If the |exposure condition| [=extended attribute=] is specified on |construct|,
+            then return true.
+        1.  Otherwise, set |construct| to |H|.
+    1.  Assert: |construct| is an [=interface=], [=callback interface=] or [=namespace=].
+    1.  If the |exposure condition| [=extended attribute=] is specified on |construct|,
         then return true.
     1.  Otherwise, return false.
 </div>
 
 Note: Since it is not possible for the [=relevant settings object=]
 for an ECMAScript global object to change whether it is a
-[=secure context=] or not over time, an implementation's
-decision to create properties for an interface or interface member
-can be made once, at the time the
-[=initial objects=]
-are created.
+[=secure context=] or [=environment settings object/cross-origin isolated capability=] over time, an
+implementation's decision to create properties for an interface or interface member can be made
+once, at the time the [=initial objects=] are created.
 
 See
 [[#es-interfaces]],
@@ -9888,45 +10013,6 @@ on any other construct.
 
 The [{{SecureContext}}] extended attribute must [=takes no arguments|take no arguments=].
 
-A construct is <dfn export>available in both secure and non-secure contexts</dfn> if it is not
-[=available only in secure contexts=] (i.e., if no [{{SecureContext}}] extended attribute applies
-to it).
-
-<div algorithm>
-
-    To check if a construct |C| is
-    <dfn id="dfn-available-only-in-secure-contexts" export>available only in secure contexts</dfn>,
-    run the following steps:
-
-    1.  Assert: |C| is an [=interface=], [=callback interface=], [=namespace=],
-        [=interface member=], [=interface mixin member=], or [=namespace member=].
-    1.  Let |H| be |C|'s [=host interface=] if |C| is an [=interface mixin member=], or null otherwise.
-    1.  If |C| is an [=interface member=], [=interface mixin member=], or [=namespace member=], then:
-        1.  If the [{{SecureContext}}] [=extended attribute=] is specified on |C|,
-            then return true.
-        1.  Otherwise, set |C| to be the
-            [=interface=], [=partial interface=],
-            [=interface mixin=], [=partial interface mixin=],
-            [=namespace=], or [=partial namespace=]
-            |C| is declared on.
-    1.  If |C| is a [=partial interface=], [=partial interface mixin=], or [=partial namespace=], then:
-        1.  If the [{{SecureContext}}] [=extended attribute=] is specified on |C|,
-            then return true.
-        1.  Otherwise, set |C| to be the original [=interface=], [=interface mixin=], or [=namespace=]
-            definition of |C|.
-    1.  If |C| is an [=interface mixin=], then:
-        1.  If the [{{SecureContext}}] [=extended attribute=] is specified on |C|,
-            then return true.
-        1.  Otherwise, set |C| to |H|.
-    1.  Assert: |C| is an [=interface=], [=callback interface=] or [=namespace=].
-    1.  If the [{{SecureContext}}] [=extended attribute=] is specified on |C|,
-        then return true.
-    1.  Otherwise, return false.
-</div>
-
-Note: Whether a construct is [=available only in secure contexts=]
-influences whether it is [=exposed=] in a given [=Realm=].
-
 If [{{SecureContext}}] appears on an [=overloaded=] [=operation=],
 then it must appear on all overloads.
 
@@ -9944,6 +10030,11 @@ An [=interface=] without the [{{SecureContext}}] [=extended attribute=]
 must not [=interface/inherit=] from another interface
 that does specify [{{SecureContext}}].
 
+[{{SecureContext}}] must not be specified on a construct is that is [=conditionally exposed=] on
+[{{CrossOriginIsolated}}]. (Doing so would be redundant, since every environment which is
+[=environment settings object/cross-origin isolated capability|cross-origin isolated=] is also a
+[=secure context=].)
+
 <div class="example">
 
     The following [=IDL fragment=] defines an interface
@@ -9952,46 +10043,44 @@ that does specify [{{SecureContext}}].
 
     <pre highlight="webidl">
         [Exposed=Window]
-        interface PowerfulFeature {
+        interface ExampleFeature {
           // This call will succeed in all contexts.
           Promise &lt;Result&gt; calculateNotSoSecretResult();
 
           // This operation will not be exposed to a non-secure context. In such a context,
-          // there will be no "calculateSecretResult" property on PowerfulFeature.prototype.
+          // there will be no "calculateSecretResult" property on ExampleFeature.prototype.
           [SecureContext] Promise&lt;Result&gt; calculateSecretResult();
 
           // The same applies here: the attribute will not be exposed to a non-secure context,
           // and in a non-secure context there will be no "secretBoolean" property on
-          // PowerfulFeature.prototype.
+          // ExampleFeature.prototype.
           [SecureContext] readonly attribute boolean secretBoolean;
         };
 
         // HeartbeatSensor will not be exposed in a non-secure context, nor will its members.
         // In such a context, there will be no "HeartbeatSensor" property on Window.
-        [SecureContext]
+        [Exposed=Window, SecureContext]
         interface HeartbeatSensor {
           Promise&lt;float&gt; getHeartbeatsPerMinute();
         };
 
         // The interface mixin members defined below will never be exposed in a non-secure context,
-        // regardless of whether the interface that includes them is.
-        // In a non-secure context, there will be no "snap" property on
-        // PowerfulFeature.prototype.
+        // regardless of whether the interface that includes them is. That is, in a non-secure
+        // context, there will be no "snap" property on ExampleFeature.prototype.
         [SecureContext]
         interface mixin Snapshotable {
           Promise&lt;boolean&gt; snap();
         };
-        PowerfulFeature includes Snapshotable;
+        ExampleFeature includes Snapshotable;
 
-        // On the other hand, the following interface mixin members will be exposed
-        // to a non-secure context when included by a host interface
-        // that doesn't have the [SecureContext] extended attribute.
-        // In a non-secure context, there will be a "log" property on
-        // PowerfulFeatures.prototype.
+        // On the other hand, the following interface mixin members will be exposed to a non-secure
+        // context when included by a host interface that doesn't have the [SecureContext] extended
+        // attribute. That is, in a non-secure context, there will be a "log" property on
+        // ExampleFeature.prototype.
         interface mixin Loggable {
           Promise&lt;boolean&gt; log();
         };
-        PowerfulFeatures includes Loggable;
+        ExampleFeature includes Loggable;
     </pre>
 </div>