From 7480ee17d9a6b214cd73111f75a44b2fc18cb235 Mon Sep 17 00:00:00 2001 From: Arthur Sonzogni Date: Wed, 18 Nov 2020 18:35:41 +0100 Subject: [PATCH 1/6] Make COOP+COEP do not imply crossOriginIsolated. The [specification] currently requires [COOP] + [COEP] to give access to crossOriginIsolated capabilities like SharedArrayBuffer. Some platforms can't easily support multiple processes (like Android Webview). Therefore, they can't really support crossOriginIsolated. However the are no strong reasons for them not to enforce COEP (and maybe COOP) when their associated headers are present. It would be great enforcing COEP (and maybe COOP) on all platforms, desptie the lack of crossOriginIsolated capabilities. This patch makes the specification to allow (instead of requiring) platform to set the crossOriginIsolated flag when both COOP and COEP are used. Setting crossOriginIsolated becomes platform dependent. In exchange, we can enforce COEP (and COOP) in a non platform dependent way, without conflicting with the specification about crossOriginIsolated. [Bug]: https://github.com/whatwg/html/issues/6060 [specification]: https://html.spec.whatwg.org/#cross-origin-opener-policies [COOP]: https://html.spec.whatwg.org/#cross-origin-opener-policy [COEP]: https://html.spec.whatwg.org/#coep --- source | 151 +++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 110 insertions(+), 41 deletions(-) diff --git a/source b/source index 228b0ba53f8..6778885a97e 100644 --- a/source +++ b/source @@ -8087,15 +8087,6 @@ interface DOMStringList {

  • Let agentCluster be the surrounding agent's agent cluster.

    • -
  • -

    If agentCluster's cross-origin isolated is false, then throw a - "DataCloneError" DOMException.

    - -

    This check is only needed when serializing (and not when deserializing) as - cross-origin isolated cannot change over time and a - SharedArrayBuffer cannot leave an agent cluster.

    -
    • -

  • If forStorage is true, then throw a "DataCloneError" DOMException.

    • @@ -8512,6 +8503,18 @@ o.myself = o; serialized.[[AgentCluster]], then then throw a "DataCloneError" DOMException.

    +

  • If targetRealm's cross-origin isolated capability is false, then throw + "DataCloneError" DOMException.

    + +

    This check is only needed when deserializing (and not when serializing) as + + cross-origin isolated capability cannot change over time and a + SharedArrayBuffer cannot leave an agent + cluster.

    +
    • +

  • Otherwise, set value to a new SharedArrayBuffer object in targetRealm whose [[ArrayBufferData]] internal slot value is serialized.[[ArrayBufferData]] and whose [[ArrayBufferByteLength]] internal slot @@ -77983,8 +77986,43 @@ console.assert(iframeWindow.frameElement === null); keys to agent clusters). User agents are responsible for collecting agent clusters when it is deemed that nothing can access them anymore.

    -

    A browsing context group has a cross-origin isolated boolean. It is initially false.

    +

    A browsing context group has a cross-origin-isolation variable of type + cross-origin-isolation. Initially set to"isolation-none"

    + +

    A cross-origin-isolation type can take 3 possible values:

    + + +
    +

    + isolation-logical and + isolation-concrete are similar. They are both used + for browsing context group, where: +

    +
      +

    • Every top-level Document has ` + Cross-Origin-Opener-Policy: + same-origin`

      • + +

    • Every Document has + `Cross-Origin-Embedder-Policy: + require-corp`

      • +
    +

    + On some platforms, it is difficult to provide the security properties required + by the cross-origin + isolated capability. As a result, only isolation-concrete can grant access to the cross-origin isolated + capability. isolation-concrete is + used on platform not supporting this capability. +

    +

    A browsing context group has an associated historical agent cluster key map, which is a map of BarProp {

    The cross-origin isolated capability
    -

    Return the logical conjunction of realm's agent cluster's - cross-origin isolated and whether window's associated Document is allowed to - use the "cross-origin-isolated" - feature.

    +

    Return the logical conjunction of:

    +
      +

    1. realm's agent cluster's cross-origin-isolation is isolation-concrete

      2. + +

    2. associated Document is + allowed to use the "cross-origin-isolated" feature.

      +
    +
    • @@ -80423,8 +80467,9 @@ interface BarProp { a registrable domain suffix of and is not equal to effectiveDomain, then throw a "SecurityError" DOMException.

    -

  • If the surrounding agent's agent cluster's cross-origin - isolated is true, then return.

    • +

  • If the surrounding agent's agent cluster's + cross-origin-isolation is not isolation-none then return.

  • If the surrounding agent's agent cluster's is origin-keyed is true, then return.

    • @@ -80533,10 +80578,11 @@ interface BarProp { and the originAgentCluster getter will always return true.

    -

    Similarly, Documents in a cross-origin isolated - agent cluster are automatically origin-keyed. The `Origin-Agent-Cluster` header might be useful as an - additional hint to implementations about resource allocation, since the `Similarly, Documents with agent cluster's + cross-origin-isolated not isolation-none are automatically origin-isolated. The + `Origin-Agent-Cluster` header might be useful as + an additional hint to implementations about resource allocation, since the `Cross-Origin-Opener-Policy` and `Cross-Origin-Embedder-Policy` headers used to achieve cross-origin isolation are more about ensuring that everything in the same address space opts in to being there. But adding @@ -80900,8 +80946,9 @@ interface BarProp {

    This behaves the same as "same-origin", with the addition that it sets the (new) top-level browsing context's group's cross-origin isolated to - true.

    + group">group's cross-origin-isolation to + isolation-logical or isolation-concrete

    "same-origin-plus-COEP" cannot be directly set via the `BarProp {

  • If navigationCOOP's value is "same-origin-plus-COEP", then set - newBrowsingContext's group's cross-origin isolated to true.

    • + newBrowsingContext's group's cross-origin-isolation to: isolation-logical or isolation-concrete. The one used is + platform-specific.

    + +

    It is difficult on some platforms to provide the security properties required by + the cross-origin isolated + capability. Only the isolation-concrete might grant access to it. + Isolation-logical won't and is used for the + platforms not supporting it.

    +

  • If sandboxFlags is not empty, then:

    @@ -86741,9 +86799,11 @@ interface BeforeUnloadEvent : Event {

    Contains various Window objects which can potentially reach each other, either directly or by using document.domain.

    -

    If the encompassing agent cluster's cross-origin isolated is true, - then all the Window objects will be same origin, can reach each other - directly, and document.domain will no-op.

    +

    If the encompassing agent cluster's cross-origin-isolation is not isolation-none, then all the Window + objects will be same origin, can reach each other directly, and document.domain will no-op.

    Two Window objects that are same origin can be in different similar-origin window agents, for @@ -86825,8 +86885,10 @@ interface BeforeUnloadEvent : Event {

    -

    An agent cluster has an associated cross-origin isolated (a boolean), - which is initially false.

    +

    An agent cluster has an associated cross-origin-isolation variable, of type + cross-origin-isolation. Initially set to isolation-none.

    An agent cluster has an associated is origin-keyed (a boolean), which is initially false.

    @@ -86854,8 +86916,10 @@ interface BeforeUnloadEvent : Event {

  • Let key be site.

    • -

  • If group's cross-origin - isolated is true, then set key to origin.

    • +

  • If group's cross-origin-isolation is not isolation-none, then set key to + origin.

  • Otherwise, if group's historical agent cluster key map[origin] exists, then set key to @@ -86880,8 +86944,9 @@ interface BeforeUnloadEvent : Event {

    1. Let agentCluster be a new agent cluster.

      2. -

    2. Set agentCluster's cross-origin isolated to group's - cross-origin isolated.

      3. +

    3. Set agentCluster's cross-origin-isolation to group's + cross-origin-isolation.

    4. Set agentCluster's is origin-keyed to true if key equals origin; otherwise false.

      5. @@ -87262,8 +87327,9 @@ interface BeforeUnloadEvent : Event { href="https://github.com/tc39/ecma262/issues/1357">tc39/ecma262#1357.

    5. -

      If agent's agent cluster's cross-origin isolated is - false, then:

      +

      If agent's agent cluster's cross-origin-isolation is isolation-none, then:

      1. Let global be realm's global @@ -99183,8 +99249,11 @@ interface SharedWorkerGlobalScope : WorkerGlobalScope {

        If worker global scope's embedder policy is "require-corp" and is shared is true, then set - agent's agent cluster's cross-origin isolated to - true.

        + agent's agent cluster's cross-origin-isolated to isolation-logical or isolation-concrete. The one chosen is + platform-specific.

        This really ought to be set when the agent cluster is created, which requires a redesign of this section.

        @@ -99197,8 +99266,8 @@ interface SharedWorkerGlobalScope : WorkerGlobalScope {

      2. Set worker global scope's cross-origin isolated - capability to agent's agent cluster's cross-origin - isolated.

        3. + capability to agent's agent cluster's cross-origin-isolation.

      3. If is shared is false and owner's cross-origin isolated From 075c677b0f4c7aaaaac4e76634ca85c4b719172a Mon Sep 17 00:00:00 2001 From: Arthur Sonzogni Date: Tue, 15 Dec 2020 16:14:07 +0100 Subject: [PATCH 2/6] Revert checking targetRealm for transfert SAB. --- source | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/source b/source index 6778885a97e..0c8ec3c6627 100644 --- a/source +++ b/source @@ -8086,6 +8086,17 @@ interface DOMStringList {

        1. Let agentCluster be the surrounding agent's agent cluster.

          2. +
        2. +

          If agentCluster's cross-origin isolated + capability is false, then throw a + "DataCloneError"DOMException.

          + +

          This check is only needed when serializing (and not when deserializing) as + cross-origin isolated + cannot change over time and a SharedArrayBuffer cannot leave an + agent cluster.

          +

        3. If forStorage is true, then throw a "DataCloneError" DOMException.

          4. @@ -8503,18 +8514,6 @@ o.myself = o;           serialized.[[AgentCluster]], then then throw a "DataCloneError" DOMException.

          -

        4. If targetRealm's cross-origin isolated capability is false, then throw - "DataCloneError" DOMException.

          - -

          This check is only needed when deserializing (and not when serializing) as - - cross-origin isolated capability cannot change over time and a - SharedArrayBuffer cannot leave an agent - cluster.

          -
          5. -

        5. Otherwise, set value to a new SharedArrayBuffer object in targetRealm whose [[ArrayBufferData]] internal slot value is serialized.[[ArrayBufferData]] and whose [[ArrayBufferByteLength]] internal slot From b955b10fcbadbf349402c082677ea9d1b0a7e3d7 Mon Sep 17 00:00:00 2001 From: Domenic Denicola Date: Thu, 17 Dec 2020 14:06:08 -0500 Subject: [PATCH 3/6] Editorial fixes --- source | 200 ++++++++++++++++++++++++++++----------------------------- 1 file changed, 99 insertions(+), 101 deletions(-) diff --git a/source b/source index 0c8ec3c6627..e2f1c6e8581 100644 --- a/source +++ b/source @@ -8084,18 +8084,16 @@ interface DOMStringList {

          If ! IsSharedArrayBuffer(value) is true, then:

            -

          1. Let agentCluster be the surrounding agent's - agent cluster.

          2. -

            If agentCluster's If the current settings object's cross-origin isolated - capability is false, then throw a - "DataCloneError"DOMException.

            + capability is false, then throw a "DataCloneError" + DOMException.

            This check is only needed when serializing (and not when deserializing) as - cross-origin isolated - cannot change over time and a SharedArrayBuffer cannot leave an - agent cluster.

            + the cross-origin + isolated capability cannot change over time and a SharedArrayBuffer + cannot leave an agent cluster.

          3. If forStorage is true, then throw a @@ -77985,44 +77983,6 @@ console.assert(iframeWindow.frameElement === null); keys to agent clusters). User agents are responsible for collecting agent clusters when it is deemed that nothing can access them anymore.

            -

            A browsing context group has a cross-origin-isolation variable of type - cross-origin-isolation. Initially set to"isolation-none"

            - -

            A cross-origin-isolation type can take 3 possible values:

            -
              -
            • isolation-none
              • -
            • isolation-logical
              • -
            • isolation-concrete
              • -
            - -
            -

            - isolation-logical and - isolation-concrete are similar. They are both used - for browsing context group, where: -

            -
              -

            • Every top-level Document has ` - Cross-Origin-Opener-Policy: - same-origin`

              • - -

            • Every Document has - `Cross-Origin-Embedder-Policy: - require-corp`

              • -
            -

            - On some platforms, it is difficult to provide the security properties required - by the cross-origin - isolated capability. As a result, only isolation-concrete can grant access to the cross-origin isolated - capability. isolation-concrete is - used on platform not supporting this capability. -

            -
            -

            A browsing context group has an associated historical agent cluster key map, which is a map of origins to agent cluster keys. This @@ -78033,6 +77993,41 @@ console.assert(iframeWindow.frameElement === null);

            The historical agent cluster key map only ever gains entries over the lifetime of the browsing context group.

            +

            A browsing context group has a cross-origin isolation mode, which is a + cross-origin isolation mode. It is initially "none".

            + +

            A cross-origin isolation mode is one of three possible values: "none", "logical", or "concrete".

            + +
            +

            "logical" and "concrete" are similar. They are both used for + browsing context groups where:

            + +
              +

            • every top-level Document has `Cross-Origin-Opener-Policy: same-origin`, and

              • + +

            • every Document has `Cross-Origin-Embedder-Policy: require-corp`.

              • +
            + +

            On some platforms, it is difficult to provide the security properties required to grant safe + access to the APIs gated by the cross-origin isolated + capability. As a result, only "concrete" can grant access that capability. + "logical" is used on platform not supporting + this capability, where various restrictions imposed by cross-origin isolation will still apply, + but the capability is not granted.

            +
            +

            To create a new browsing context group, run these steps:

            @@ -79681,16 +79676,17 @@ interface BarProp {
            The cross-origin isolated capability
            -

            Return the logical conjunction of:

            -
              -

            1. realm's agent cluster's cross-origin-isolation is isolation-concrete

              2. +
              +

              Return true if both of the following hold, and false otherwise:

              +
                +

              1. realm's agent cluster's cross-origin-isolation mode is "concrete", and

                2. -

              2. associated Document is - allowed to use the "cross-origin-isolated" feature.

                -
              +

            2. window's associated + Document is allowed to use the "cross-origin-isolated" feature.

              3. +
            4. @@ -80466,9 +80462,9 @@ interface BarProp { a registrable domain suffix of and is not equal to effectiveDomain, then throw a "SecurityError" DOMException.

            -

          4. If the surrounding agent's agent cluster's - cross-origin-isolation is not isolation-none then return.

            5. +

          5. If the surrounding agent's agent cluster's cross-origin isolation mode is not "none", then return.

          6. If the surrounding agent's agent cluster's is origin-keyed is true, then return.

            7. @@ -80577,9 +80573,9 @@ interface BarProp { and the originAgentCluster getter will always return true.

            -

            Similarly, Documents with agent cluster's - cross-origin-isolated not isolation-none are automatically origin-isolated. The +

            Similarly, Documents whose agent cluster's + cross-origin isolation mode is not + "none" are automatically origin-keyed. The `Origin-Agent-Cluster` header might be useful as an additional hint to implementations about resource allocation, since the `Cross-Origin-Opener-Policy` and @@ -80945,9 +80941,9 @@ interface BarProp {

            This behaves the same as "same-origin", with the addition that it sets the (new) top-level browsing context's group's cross-origin-isolation to - isolation-logical or isolation-concrete

            + group">group's cross-origin isolation + mode to one of "logical" or "concrete".

            "same-origin-plus-COEP" cannot be directly set via the `BarProp {

          7. Let newBrowsingContext be the result of creating a new top-level browsing context.

            8. -

          8. If navigationCOOP's value is "same-origin-plus-COEP", then set - newBrowsingContext's group's cross-origin-isolation to: isolation-logical or isolation-concrete. The one used is - platform-specific.

            +
          9. +

            If navigationCOOP's value is "same-origin-plus-COEP", then set + newBrowsingContext's group's cross-origin isolation mode to either "logical" or "concrete". The choice of which is + implementation-defined.

            -

            It is difficult on some platforms to provide the security properties required by - the cross-origin isolated - capability. Only the isolation-concrete might grant access to it. - Isolation-logical won't and is used for the - platforms not supporting it.

            +

            It is difficult on some platforms to provide the security properties required by + the cross-origin + isolated capability. Only "concrete" might grant access to it. "logical" won't, and is used by implementations on + other platforms.

          10. @@ -86799,9 +86796,9 @@ interface BeforeUnloadEvent : Event { directly or by using document.domain.

            If the encompassing agent cluster's cross-origin-isolation is not isolation-none, then all the Window - objects will be same origin, can reach each other directly, and cross-origin isolation mode is not "none", then all the Window objects will + be same origin, can reach each other directly, and document.domain will no-op.

            Two Window objects that are same origin can be in @@ -86884,10 +86881,10 @@ interface BeforeUnloadEvent : Event {

            -

            An agent cluster has an associated cross-origin-isolation variable, of type - cross-origin-isolation. Initially set to isolation-none. +

            An agent cluster has an associated cross-origin isolation mode, which is a + cross-origin isolation mode. It is initially "none".

            An agent cluster has an associated is origin-keyed (a boolean), which is initially false.

            @@ -86915,10 +86912,9 @@ interface BeforeUnloadEvent : Event {

          11. Let key be site.

            12. -

          12. If group's cross-origin-isolation is not isolation-none, then set key to - origin.

            13. +

          13. If group's cross-origin isolation + mode is not "none", then set + key to origin.

          14. Otherwise, if group's historical agent cluster key map[origin] exists, then set key to @@ -86943,9 +86939,10 @@ interface BeforeUnloadEvent : Event {

            1. Let agentCluster be a new agent cluster.

              2. -

            2. Set agentCluster's cross-origin-isolation to group's - cross-origin-isolation.

              3. +

            3. Set agentCluster's cross-origin isolation mode to + group's cross-origin isolation + mode.

            4. Set agentCluster's is origin-keyed to true if key equals origin; otherwise false.

              5. @@ -87326,9 +87323,9 @@ interface BeforeUnloadEvent : Event { href="https://github.com/tc39/ecma262/issues/1357">tc39/ecma262#1357.

            5. -

              If agent's agent cluster's cross-origin-isolation is isolation-none, then: +

              If agent's agent cluster's cross-origin isolation mode is "none", then:

              1. Let global be realm's global @@ -99248,11 +99245,11 @@ interface SharedWorkerGlobalScope : WorkerGlobalScope {

                If worker global scope's embedder policy is "require-corp" and is shared is true, then set - agent's agent cluster's cross-origin-isolated to isolation-logical or isolation-concrete. The one chosen is - platform-specific.

                + agent's agent cluster's cross-origin isolation mode to "logical" or "concrete". The one chosen is + implementation-defined.

                This really ought to be set when the agent cluster is created, which requires a redesign of this section.

                @@ -99265,8 +99262,9 @@ interface SharedWorkerGlobalScope : WorkerGlobalScope {

              2. Set worker global scope's cross-origin isolated - capability to agent's agent cluster's cross-origin-isolation.

                3. + capability to true if agent's agent cluster's cross-origin isolation mode is "concrete".

              3. If is shared is false and owner's cross-origin isolated From f28344f00ca4b743464ccca637a9be9b37da011a Mon Sep 17 00:00:00 2001 From: Domenic Denicola Date: Thu, 17 Dec 2020 14:09:18 -0500 Subject: [PATCH 4/6] Consolidate a bit with "is origin-keyed" --- source | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/source b/source index e2f1c6e8581..856404123cd 100644 --- a/source +++ b/source @@ -80462,10 +80462,6 @@ interface BarProp { a registrable domain suffix of and is not equal to effectiveDomain, then throw a "SecurityError" DOMException.

                4. -

              4. If the surrounding agent's agent cluster's cross-origin isolation mode is not "none", then return.

                5. -

              5. If the surrounding agent's agent cluster's is origin-keyed is true, then return.

                6. @@ -86795,11 +86791,9 @@ interface BeforeUnloadEvent : Event {

                Contains various Window objects which can potentially reach each other, either directly or by using document.domain.

                -

                If the encompassing agent cluster's cross-origin isolation mode is not "none", then all the Window objects will - be same origin, can reach each other directly, and document.domain will no-op.

                +

                If the encompassing agent cluster's is origin-keyed is true, then + all the Window objects will be same origin, can reach each other + directly, and document.domain will no-op.

                Two Window objects that are same origin can be in different similar-origin window agents, for From 7f36cd8bcbc1b159592795ab3a34f80660bedafb Mon Sep 17 00:00:00 2001 From: ArthurSonzogni Date: Sat, 19 Dec 2020 19:21:41 +0100 Subject: [PATCH 5/6] Address annevk@ comments. --- source | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/source b/source index 856404123cd..428ca05e7fb 100644 --- a/source +++ b/source @@ -81358,9 +81358,8 @@ interface BarProp {

                It is difficult on some platforms to provide the security properties required by the cross-origin isolated capability. Only "concrete" might grant access to it. "logical" won't, and is used by implementations on - other platforms.

                + data-x="cross-origin-isolation-concrete">concrete                " can grant access to it. "logical" won't.

              6. From 9c2fd1fb783cc3313f894d04a596d2696f4c4667 Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Mon, 4 Jan 2021 16:40:33 +0100 Subject: [PATCH 6/6] wording nit --- source | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source b/source index 428ca05e7fb..8a5e08fe4e8 100644 --- a/source +++ b/source @@ -81357,9 +81357,9 @@ interface BarProp {

                It is difficult on some platforms to provide the security properties required by the cross-origin - isolated capability. Only "concrete" can grant access to it. "logical" won't.

                + isolated capability. "concrete" + grants access to it and "logical" does + not.