From b303ac8248ff456d52409d06f6f0a948dd8e336a Mon Sep 17 00:00:00 2001 From: Yutaka Hirano Date: Wed, 22 Jul 2020 16:40:31 +0900 Subject: [PATCH 1/8] Introduce "cross-origin-isolated" permission Introduce "cross-origin-isolated" permission to allow a document to control whether nested documents can access to features that require securer context, even when COOP+COEP are enabled. --- source | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 58 insertions(+), 2 deletions(-) diff --git a/source b/source index 3d085f86bb6..bf9ece7541a 100644 --- a/source +++ b/source @@ -4197,6 +4197,10 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
  • "autoplay", which has a default allowlist of 'self'.
    • +
  • "cross-origin-isolated", which has a default allowlist of 'self'.
  • "document-domain", which has a default allowlist of *.
    • @@ -92550,8 +92554,27 @@ document.body.appendChild(frame) origin">serialized.

    The crossOriginIsolated getter steps - are to return the surrounding agent's agent cluster's cross-origin - isolated.

    + are to return true if all of the following conditions are true, and false otherwise.

    + + @@ -98975,6 +98998,11 @@ interface WorkerGlobalScope : EventTarget { data-dfn-for="WorkerGlobalScope" data-x="concept-WorkerGlobalScope-module-map">module map. It is a module map, initially empty.

    +

    A WorkerGlobalScope object has an associated cross-origin-isolated + permission boolean, initially true.

    +
    @@ -99367,6 +99395,27 @@ interface SharedWorkerGlobalScope : WorkerGlobalScope { +
  • +

    Otherwise:

    + +
      +

    1. If owner is a Window object, then set worker global + scope's cross-origin-isolated + permission to whether owner's associated Document is allowed to + use the "cross-origin-isolated" feature.

      2. + +

    2. If owner is a WorkerGlobalScope object, then set worker + global scope's cross-origin-isolated + permission to owner's cross-origin-isolated + permission.

      3. +
    +
    • +

  • Let destination be "sharedworker" if is shared is true, and "worker" otherwise.

    • @@ -99410,6 +99459,13 @@ interface SharedWorkerGlobalScope : WorkerGlobalScope { parsing the `Referrer-Policy` header of response.

    +

  • If is shared is false and response's + url's scheme is "data", then set + worker global scope's cross-origin-isolated + permission to false. +

  • If response's url's scheme is a local scheme, then set worker global scope's Date: Tue, 28 Jul 2020 19:15:39 +0900 Subject: [PATCH 2/8] fix --- source | 31 +++++++++++++------------------ 1 file changed, 13 insertions(+), 18 deletions(-) diff --git a/source b/source index bf9ece7541a..eae58f2c1fc 100644 --- a/source +++ b/source @@ -92554,27 +92554,22 @@ document.body.appendChild(frame) origin">serialized.

    The crossOriginIsolated getter steps - are to return true if all of the following conditions are true, and false otherwise.

    + are: -
      -

    • Surrounding agent's agent cluster's cross-origin - isolated is true.

      • +
        +

      1. If surrounding agent's agent cluster's cross-origin + isolated is false, then return false.

        2. -
      2. -

        Any of the following conditions are true:

        +

      3. If this is a Window object, then return whether its associated Document is allowed to + use the "cross-origin-isolated". -

          -

        • this is a Window object and its associated Document is allowed to - use the "cross-origin-isolated" feature.

          • - -

        • this is a WorkerGlobalScope object and its asoociated cross-origin-isolated - permission is true.

          • -
        -
        4. -
    +

  • Otherwise, this is a WorkerGlobalScope object. Return its + asoociated cross-origin-isolated + permission.

    • + From 84435fa6d68a17bb3750b7cf531462338e66a870 Mon Sep 17 00:00:00 2001 From: Yutaka Hirano Date: Wed, 5 Aug 2020 17:09:26 +0900 Subject: [PATCH 3/8] fix --- source | 85 ++++++++++++++++++++++++++-------------------------------- 1 file changed, 38 insertions(+), 47 deletions(-) diff --git a/source b/source index eae58f2c1fc..5154ba7258e 100644 --- a/source +++ b/source @@ -79111,7 +79111,15 @@ interface BarProp {
    The embedder policy

    Return window's associated Document's embedder - policy.

    + policy.

    + +
    The effective + cross-origin isolated boolean
    +

    Return the logical conjunction of realm's corresponding agent + cluster's cross-origin isolated and whether window's associated Document is allowed to + use the "cross-origin-isolated".

    @@ -87569,6 +87577,12 @@ interface ApplicationCache : EventTarget { check">cross-origin resource policy checks for fetches performed using this environment settings object as a request client.

    + +
    An effective cross-origin isolated boolean
    + +

    A boolean representing whether it is allowed to use APIs that requires cross-origin + isolation.

    An environment settings object also has an outstanding rejected promises @@ -92517,12 +92531,11 @@ interface mixin WindowOrWorkerGlobalScope {

    Returns the global object's origin, serialized as string.

    self . crossOriginIsolated
    -

    Returns whether the surrounding agent's agent cluster is - cross-origin isolated. This depends on the `Cross-Origin-Opener-Policy` and `Cross-Origin-Embedder-Policy` HTTP response headers and determines whether - SharedArrayBuffer can be used with postMessage() - APIs.

    +

    Returns whether it is allowed to use APIs that require cross-origin isolattion. + This depends on the `Cross-Origin-Opener-Policy` and `Cross-Origin-Embedder-Policy` HTTP response headers and the + "cross-origin-isolated" + permission.

    @@ -92554,22 +92567,9 @@ document.body.appendChild(frame) origin">serialized.

    The crossOriginIsolated getter steps - are: - -

      -

    1. If surrounding agent's agent cluster's cross-origin - isolated is false, then return false.

      2. - -

    2. If this is a Window object, then return whether its associated Document is allowed to - use the "cross-origin-isolated". - -

    3. Otherwise, this is a WorkerGlobalScope object. Return its - asoociated cross-origin-isolated - permission.

      4. -
    + are to return this's relevant settings object's effective cross-origin + isolated.

    @@ -98995,8 +98995,8 @@ interface WorkerGlobalScope : EventTarget {

    A WorkerGlobalScope object has an associated cross-origin-isolated - permission boolean, initially true.

    + data-x="concept-WorkerGlobalScope-effective-cross-origin-isolated">effective cross-origin + isolated boolean. It is initially false.

    @@ -99390,26 +99390,11 @@ interface SharedWorkerGlobalScope : WorkerGlobalScope { -
  • -

    Otherwise:

    - -
      -

    1. If owner is a Window object, then set worker global - scope's cross-origin-isolated - permission to whether owner's associated Document is allowed to - use the "cross-origin-isolated" feature.

      2. - -

    2. If owner is a WorkerGlobalScope object, then set worker - global scope's cross-origin-isolated - permission to owner's cross-origin-isolated - permission.

      3. -
    -
    • +

  • Otherwise, set worker global scope's effective cross-origin + isolated to owner's effective cross-origin + isolated.

  • Let destination be "sharedworker" if is shared is true, and "worker" otherwise.

    • @@ -99458,8 +99443,8 @@ interface SharedWorkerGlobalScope : WorkerGlobalScope { url's scheme is "data", then set worker global scope's cross-origin-isolated - permission to false. + data-x="concept-WorkerGlobalScope-effective-cross-origin-isolated">effective cross-origin + isolated to false.

  • If response's url's scheme is a local scheme, then set @@ -99786,6 +99771,12 @@ interface SharedWorkerGlobalScope : WorkerGlobalScope {

    Return worker global scope's embedder policy.

    + +
    The effective + cross-origin isolated boolean
    +

    Return worker global scope's effective cross-origin + isolated.

    • From 6915c7652ce9fc85c7220c56dd6154c318c5ea9e Mon Sep 17 00:00:00 2001 From: Yutaka Hirano Date: Wed, 5 Aug 2020 18:57:38 +0900 Subject: [PATCH 4/8] fix --- source | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/source b/source index 5154ba7258e..519e7330fca 100644 --- a/source +++ b/source @@ -99390,14 +99390,19 @@ interface SharedWorkerGlobalScope : WorkerGlobalScope { -

  • Otherwise, set worker global scope's

    Let destination be "sharedworker" if is + shared is true, and "worker" otherwise.

    • + +

  • Set worker global scope's effective cross-origin - isolated to owner's effective cross-origin + isolated to agent's agent cluster's cross-origin isolated.

    • -

  • Let destination be "sharedworker" if is - shared is true, and "worker" otherwise.

    • +

  • If is shared is false and owner's effective cross-origin + isolated is false, then set worker global scope's effective cross-origin + isolated to false.

  • Obtain script by switching on the value of options's Date: Thu, 6 Aug 2020 16:12:12 +0900 Subject: [PATCH 5/8] fix --- source | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/source b/source index 519e7330fca..54885d1fdb9 100644 --- a/source +++ b/source @@ -4197,7 +4197,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute

  • "autoplay", which has a default allowlist of 'self'.
    • -
  • ""cross-origin-isolated", which has a default allowlist of 'self'.
    • @@ -79119,7 +79119,7 @@ interface BarProp { cluster's cross-origin isolated and whether window's associated Document is allowed to use the "cross-origin-isolated".

    + data-x="cross-origin-isolated-feature">cross-origin-isolated    " feature.

    @@ -87581,7 +87581,7 @@ interface ApplicationCache : EventTarget {
    An effective cross-origin isolated boolean
    -

    A boolean representing whether it is allowed to use APIs that requires cross-origin +

    A boolean representing whether it is allowed to use APIs that require cross-origin isolation.

    @@ -92531,11 +92531,11 @@ interface mixin WindowOrWorkerGlobalScope {

    Returns the global object's origin, serialized as string.

    self . crossOriginIsolated
    -

    Returns whether it is allowed to use APIs that require cross-origin isolattion. - This depends on the `Cross-Origin-Opener-Policy` and `Cross-Origin-Embedder-Policy` HTTP response headers and the - "cross-origin-isolated" - permission.

    +

    Returns whether scripts running in this global are allowed to use APIs that require + cross-origin isolation. This depends on the `Cross-Origin-Opener-Policy` + and `Cross-Origin-Embedder-Policy` HTTP response headers and the + "cross-origin-isolated" + feature.

    From 3ef2ba4937c05540515c3a44e721dde15c964e9f Mon Sep 17 00:00:00 2001 From: Yutaka Hirano Date: Fri, 7 Aug 2020 19:09:28 +0900 Subject: [PATCH 6/8] fix --- source | 36 ++++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/source b/source index 54885d1fdb9..1d35cced874 100644 --- a/source +++ b/source @@ -99393,17 +99393,6 @@ interface SharedWorkerGlobalScope : WorkerGlobalScope {

  • Let destination be "sharedworker" if is shared is true, and "worker" otherwise.

    • -

  • Set worker global scope's effective cross-origin - isolated to agent's agent cluster's cross-origin - isolated.

    • - -

  • If is shared is false and owner's effective cross-origin - isolated is false, then set worker global scope's effective cross-origin - isolated to false.

    • -

  • Obtain script by switching on the value of options's type member:

    @@ -99444,13 +99433,6 @@ interface SharedWorkerGlobalScope : WorkerGlobalScope { parsing the `Referrer-Policy` header of response.

    • -

  • If is shared is false and response's - url's scheme is "data", then set - worker global scope's effective cross-origin - isolated to false. -

  • If response's url's scheme is a local scheme, then set worker global scope's SharedWorkerGlobalScope : WorkerGlobalScope { and response is false, then set response to a network error.

    • +

  • Set worker global scope's effective cross-origin + isolated to agent's agent cluster's cross-origin + isolated.

    • + +

  • If is shared is false and owner's effective cross-origin + isolated is false, then set worker global scope's effective cross-origin + isolated to false.

    • + +

  • If is shared is false and response's + url's scheme is "data", then set + worker global scope's effective cross-origin + isolated to false. +

  • Execute the Initialize a global object's CSP list algorithm on worker global scope and response.

    • From 3e68cd98f093e97cb39f1e24ed337419d5c0001c Mon Sep 17 00:00:00 2001 From: Domenic Denicola Date: Fri, 7 Aug 2020 15:32:32 -0400 Subject: [PATCH 7/8] Rename and add note; other minor editorial tweaks --- source | 71 +++++++++++++++++++++++++++++++++------------------------- 1 file changed, 40 insertions(+), 31 deletions(-) diff --git a/source b/source index 1d35cced874..69ee00d1648 100644 --- a/source +++ b/source @@ -79113,13 +79113,13 @@ interface BarProp { Document's embedder policy.

    -
    The effective - cross-origin isolated boolean
    -

    Return the logical conjunction of realm's corresponding agent - cluster's cross-origin isolated and whether window's The cross-origin + isolated capability +

    Return the logical conjunction of realm's agent cluster's + cross-origin isolated and whether window's associated Document is allowed to - use the "cross-origin-isolated" feature.

    + use the "cross-origin-isolated" + feature.

    @@ -87578,11 +87578,11 @@ interface ApplicationCache : EventTarget { performed using this environment settings object as a request client.

    -
    An effective cross-origin isolated boolean
    +
    A cross-origin isolated capability
    -

    A boolean representing whether it is allowed to use APIs that require cross-origin - isolation.

    +

    A boolean representing whether scripts that use this environment settings + object are allowed to use APIs that require cross-origin isolation.

    An environment settings object also has an outstanding rejected promises @@ -92568,8 +92568,8 @@ document.body.appendChild(frame)

    The crossOriginIsolated getter steps are to return this's relevant settings object's effective cross-origin - isolated.

    + data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin isolated + capability.

    @@ -98995,8 +98995,8 @@ interface WorkerGlobalScope : EventTarget {

    A WorkerGlobalScope object has an associated effective cross-origin - isolated boolean. It is initially false.

    + data-x="concept-WorkerGlobalScope-cross-origin-isolated-capability">cross-origin isolated + capability boolean. It is initially false.

    @@ -99461,22 +99461,31 @@ interface SharedWorkerGlobalScope : WorkerGlobalScope { error.

  • Set worker global scope's effective cross-origin - isolated to agent's agent cluster's cross-origin + data-x="concept-WorkerGlobalScope-cross-origin-isolated-capability">cross-origin isolated + capability to agent's agent cluster's cross-origin isolated.

  • If is shared is false and owner's effective cross-origin - isolated is false, then set worker global scope's effective cross-origin - isolated to false.

    • - -

  • If is shared is false and response's - url's scheme is "data", then set - worker global scope's effective cross-origin - isolated to false. + data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin isolated + capability is false, then set worker global scope's cross-origin isolated + capability to false.

    • + +
  • +

    If is shared is false and response's + url's scheme is "data", then set + worker global scope's cross-origin isolated + capability to false.

    + +

    This is a conservative default for now, while we figure out how workers in + general, and data: URL workers in particular (which are + cross-origin from their owner), should be treated in the context of permissions policies. See + w3c/webappsec-permissions-policy + issue #207 for more details.

    +

  • Execute the Initialize a global object's CSP list algorithm on worker global scope and response.

    • @@ -99777,11 +99786,11 @@ interface SharedWorkerGlobalScope : WorkerGlobalScope { data-x="concept-WorkerGlobalScope-embedder-policy">embedder policy.

    -
    The effective - cross-origin isolated boolean
    +
    The cross-origin + isolated capability

    Return worker global scope's effective cross-origin - isolated.

    + data-x="concept-WorkerGlobalScope-cross-origin-isolated-capability">cross-origin isolated + capability.

    From cb230652db35778c61e0d727323db9a900296fe8 Mon Sep 17 00:00:00 2001 From: Domenic Denicola Date: Fri, 7 Aug 2020 15:36:21 -0400 Subject: [PATCH 8/8] oops --- source | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source b/source index 69ee00d1648..e92ad18253d 100644 --- a/source +++ b/source @@ -99481,7 +99481,7 @@ interface SharedWorkerGlobalScope : WorkerGlobalScope {

    This is a conservative default for now, while we figure out how workers in general, and data: URL workers in particular (which are - cross-origin from their owner), should be treated in the context of permissions policies. See + cross-origin from their owner), will be treated in the context of permissions policies. See w3c/webappsec-permissions-policy issue #207 for more details.