Skip to content

Commit

Permalink
Add the cross-origin isolated primitive
Browse files Browse the repository at this point in the history
A top-level navigation response with Cross-Origin-Opener-Policy set to same-origin and Cross-Origin-Embedder-Policy set to require-corp will create a cross-origin isolated browsing context group. And all agent clusters therein will be cross-origin isolated as well (shared and service workers can still not be, as they sit on the side).

This change also:

* Gates SharedArrayBuffer exposure behind that primitive for web compatibility reasons.
* Gates SharedArrayBuffer sharing behind that primitive.
* Exposes it through self.crossOriginIsolated.
* Makes document.domain return before it mutates the origin.
* Makes agent clusters keyed on origin.

Tests:

* web-platform-tests/wpt#17719
* web-platform-tests/wpt#17760
* web-platform-tests/wpt#17761
* web-platform-tests/wpt#17802
* web-platform-tests/wpt#17909
* web-platform-tests/wpt#18543
* web-platform-tests/wpt#20116
* web-platform-tests/wpt#22358

Closes whatwg#4732. Closes whatwg#5122. Closes whatwg#5444.

Follow-up: whatwg#5435 (and whatwg#5362).
  • Loading branch information
annevk authored and mfreed7 committed Sep 11, 2020
1 parent 82b8fd8 commit 485cd3e
Showing 1 changed file with 83 additions and 34 deletions.
117 changes: 83 additions & 34 deletions source
Original file line number Diff line number Diff line change
Expand Up @@ -8007,13 +8007,24 @@ interface <dfn>DOMStringList</dfn> {
<p>If ! <span>IsSharedArrayBuffer</span>(<var>value</var>) is true, then:

<ol>
<li><p>Let <var>agentCluster</var> be the <span>surrounding agent</span>'s
<span>agent cluster</span>.</p></li>

<li>
<p>If <var>agentCluster</var>'s <span>cross-origin isolated</span> is false, then throw a
<span>"<code>DataCloneError</code>"</span> <code>DOMException</code>.</p>

<p class="note">This check is only needed when serializing (and not when deserializing) as
<span>cross-origin isolated</span> cannot change over time and a
<code>SharedArrayBuffer</code> cannot leave an <span>agent cluster</span>.</p>
</li>

<li><p>If <var>forStorage</var> is true, then throw a
<span>"<code>DataCloneError</code>"</span> <code>DOMException</code>.</p></li>

<li><p>Set <var>serialized</var> to { [[Type]]: "SharedArrayBuffer", [[ArrayBufferData]]:
<var>value</var>.[[ArrayBufferData]], [[ArrayBufferByteLength]]: <var>size</var>,
[[AgentCluster]]: the <span>current Realm Record</span>'s corresponding <span>agent
cluster</span> }.</p></li>
[[AgentCluster]]: <var>agentCluster</var> }.</p></li>
</ol>
</li>

Expand Down Expand Up @@ -77258,10 +77269,6 @@ console.assert(iframeWindow.frameElement === null);
<p>A <span>browsing context group</span> has a <dfn data-x="bcg cross-origin
isolated">cross-origin isolated</dfn> boolean. It is initially false.</p>

<p class="XXX">The impact of <span data-x="bcg cross-origin isolated">cross-origin
isolated</span> is under discussion in <a href="https://github.com/whatwg/html/pull/4734">issue
#4734</a>.</p>

<p>To <dfn data-x="creating a new browsing context group">create a new browsing context
group</dfn>, run these steps:</p>

Expand Down Expand Up @@ -79679,6 +79686,9 @@ interface <dfn>BarProp</dfn> {
a registrable domain suffix of and is not equal to</span> <var>effectiveDomain</var>, then throw
a <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>

<li><p>If the <span>surrounding agent</span>'s <span>agent cluster</span>'s <span>cross-origin
isolated</span> is true, then return.</p></li>

<li><p>Set this <code>Document</code> object's <span>origin</span>'s <span
data-x="concept-origin-domain">domain</span> to the result of <span data-x="host
parser">parsing</span> the given value.</p></li>
Expand Down Expand Up @@ -86848,6 +86858,10 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
<p>Contains various <code>Window</code> objects which can potentially reach each other, either
directly or by using <code data-x="dom-document-domain">document.domain</code>.</p>

<p>If the encompassing <span>agent cluster</span>'s <span>cross-origin isolated</span> is true,
then all the <code>Window</code> objects will be <span>same origin</span>, can reach each other
directly, and <code data-x="dom-document-domain">document.domain</code> will no-op.</p>

<p class="note">Two <code>Window</code> objects that are <span>same origin</span> can be in
different <span data-x="similar-origin window agent">similar-origin window agents</span>, for
instance if they are each in their own <span>browsing context group</span>.</p>
Expand Down Expand Up @@ -86926,51 +86940,43 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
ensure that web developers see interoperable behavior with regard to shared memory, even in the
face of varying and changing user agent process models.</p>

<p>An <span>agent cluster</span> has an associated <dfn>cross-origin isolated</dfn> (a boolean),
which is initially false.</p>

<div w-nodev>

<hr>

<p>The following defines the allocation of the <span data-x="agent cluster">agent clusters</span>
of <span data-x="similar-origin window agent">similar-origin window agents</span>.</p>

<p>An <dfn>agent cluster key</dfn> is a <span>site</span>.</p>

<p class="XXX"><a href="https://github.com/whatwg/html/pull/4734">whatwg/html #4734</a> is
expected to widen <span>agent cluster key</span> (but not <span>site</span>) to encompass all
<span data-x="concept-origin-tuple">tuple origins</span>.</p>

<p>To <dfn data-x="obtain-agent-cluster-key">obtain an agent cluster key</dfn>, given an origin
<var>origin</var>, return the result of <span data-x="obtain a site">obtaining a site</span> with
<var>origin</var>.</p>
<p>An <dfn>agent cluster key</dfn> is a <span>site</span> or <span
data-x="concept-origin-tuple">tuple origin</span> whose <span
data-x="concept-origin-host">host</span>'s <span>registrable domain</span> is non-null. I.e., an
<span>agent cluster key</span> can be a <span>scheme-and-registrable-domain</span> or any
<span>origin</span>.</p>

<p>To <dfn data-x="obtain-similar-origin-window-agent">obtain a similar-origin window agent</dfn>,
given an <span>origin</span> <var>origin</var> and <span>browsing context group</span>
<var>group</var>, run these steps:</p>

<ol>
<li><p>Let <var>clusterKey</var> be the result of <span
data-x="obtain-agent-cluster-key" data-export="">obtaining an agent cluster key</span> given
<var>origin</var>.</p></li>

<li><p>Let <var>agentCluster</var> be the result of <span
data-x="obtain-browsing-agent-cluster">obtaining a browsing context agent cluster</span> with
<var>group</var> and <var>clusterKey</var>.</p></li>

<li><p>Return the single <span>similar-origin window agent</span> contained in
<var>agentCluster</var>.</p></li>
</ol>
<li><p>Let <var>clusterKey</var> be the result of <span data-x="obtain a site">obtaining a
site</span> with <var>origin</var>.</p></li>

<p>To <dfn data-x="obtain-browsing-agent-cluster">obtain a browsing context agent cluster</dfn>,
given a <span>browsing context group</span> <var>group</var> and <span>agent cluster key</span>
<var>key</var>, run these steps:</p>
<li><p>If <var>group</var>'s <span data-x="bcg cross-origin isolated">cross-origin
isolated</span> is true, then set <var>clusterKey</var> to <var>origin</var>.</p></li>

<ol>
<li>
<p>If <var>group</var>'s <span>agent cluster map</span>[<var>key</var>] <span data-x="map
exists">does not exist, then:</span></p>
exists">does not exist</span>, then:</p>

<ol>
<li><p>Let <var>agentCluster</var> be a new <span>agent cluster</span>.</p></li>

<li><p>Set <var>agentCluster</var>'s <span>cross-origin isolated</span> to <var>group</var>'s
<span data-x="bcg cross-origin isolated">cross-origin isolated</span>.</p></li>

<li><p>Add the result of <span data-x="create an agent">creating an agent</span>, given false,
to <var>agentCluster</var>.</p></li>

Expand All @@ -86979,7 +86985,8 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
</ol>
</li>

<li><p>Return <var>group</var>'s <span>agent cluster map</span>[<var>key</var>].</p></li>
<li><p>Return the single <span>similar-origin window agent</span> contained in <var>group</var>'s
<span>agent cluster map</span>[<var>key</var>].</p></li>
</ol>

<p class="note">This means that there is only one <span>similar-origin window agent</span> per
Expand Down Expand Up @@ -87333,6 +87340,26 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
is not yet defined in the JavaScript specification; see <a
href="https://github.com/tc39/ecma262/issues/1357">tc39/ecma262#1357</a>.</span></p></li>

<li>
<p>If <var>agent</var>'s <span>agent cluster</span>'s <span>cross-origin isolated</span> is
false, then:</p>

<ol>
<li><p>Let <var>global</var> be <var>realm</var>'s <span data-x="concept-realm-global">global
object</span>.</p></li>

<li><p>Let <var>status</var> be ! <var>global</var>.[[Delete]]("<code
data-x="">SharedArrayBuffer</code>").</p></li>

<li><p>Assert: <var>status</var> is true.</p></li>
</ol>

<p class="note">This is done for compatibility with web content and there is some hope that this
can be removed in the future. Web developers can still get at the constructor through
<code class="js" data-x="">new WebAssembly.Memory({ shared:true, initial:0, maximum:0
}).buffer.constructor</code>.</p>
</li>

<li><p>Return <var>realm execution context</var>.</p></li>
</ol>

Expand Down Expand Up @@ -92138,6 +92165,7 @@ interface mixin <dfn>DocumentAndElementEventHandlers</dfn> {
interface mixin <dfn>WindowOrWorkerGlobalScope</dfn> {
[Replaceable] readonly attribute USVString <span data-x="dom-origin">origin</span>;
readonly attribute boolean <span data-x="dom-isSecureContext">isSecureContext</span>;
readonly attribute boolean <span data-x="dom-crossOriginIsolated">crossOriginIsolated</span>;

// base64 utility methods
DOMString <span data-x="dom-btoa">btoa</span>(DOMString data);
Expand All @@ -92161,13 +92189,19 @@ interface mixin <dfn>WindowOrWorkerGlobalScope</dfn> {

<dl class="domintro">
<dt>self . <code subdfn data-x="dom-isSecureContext">isSecureContext</code></dt>

<dd><p>Returns whether or not this global object represents a <span>secure context</span>. <ref
spec=SECURE-CONTEXTS></p></dd>

<dt>self . <code subdfn data-x="dom-origin">origin</code></dt>

<dd><p>Returns the global object's <span>origin</span>, serialized as string.</p></dd>

<dt>self . <code subdfn data-x="dom-crossOriginIsolated">crossOriginIsolated</code></dt>
<dd><p>Returns whether the <span>surrounding agent</span>'s <span>agent cluster</span> is
<span>cross-origin isolated</span>. This depends on the `<code
data-x="">Cross-Origin-Opener-Policy</code>` and `<code
data-x="">Cross-Origin-Embedder-Policy</code>` HTTP response headers and determines whether
<code>SharedArrayBuffer</code> can be used with <code data-x="">postMessage()</code>
APIs.</p></dd>
</dl>

<div class="example">
Expand Down Expand Up @@ -92198,6 +92232,10 @@ document.body.appendChild(frame)</code></pre>
data-x="concept-settings-object-origin">origin</span>, <span data-x="serialization of an
origin">serialized</span>.</p>

<p>The <dfn data-x="dom-crossOriginIsolated"><code>crossOriginIsolated</code></dfn> getter steps
are to return the <span>surrounding agent</span>'s <span>agent cluster</span>'s <span>cross-origin
isolated</span>.</p>

</div>


Expand Down Expand Up @@ -99090,6 +99128,17 @@ interface <dfn>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope</span> {
<span data-x="obtain an embedder policy">obtaining an embedder policy</span> from
<var>response</var>.</p></li>

<li>
<p>If <var>worker global scope</var>'s <span
data-x="concept-WorkerGlobalScope-embedder-policy">embedder policy</span> is "<code
data-x="coep-require-corp">require-corp</code>" and <var>is shared</var> is true, then set
<var>agent</var>'s <span>agent cluster</span>'s <span>cross-origin isolated</span> to
true.</p>

<p class="XXX">This really ought to be set when the agent cluster is created, which requires a
redesign of this section.</p>
</li>

<li><p>If the result of <span data-x="check a global object's embedder policy">checking a
global object's embedder policy</span> with <var>worker global scope</var>, <var>owner</var>,
and <var>response</var> is false, then set <var>response</var> to a <span>network
Expand Down

0 comments on commit 485cd3e

Please sign in to comment.