From 485cd3eb9bb0b7407496600455260591273bb795 Mon Sep 17 00:00:00 2001
From: Anne van Kesteren <annevk@annevk.nl>
Date: Wed, 8 Jul 2020 11:05:28 +0200
Subject: [PATCH] Add the cross-origin isolated primitive

A top-level navigation response with Cross-Origin-Opener-Policy set to same-origin and Cross-Origin-Embedder-Policy set to require-corp will create a cross-origin isolated browsing context group. And all agent clusters therein will be cross-origin isolated as well (shared and service workers can still not be, as they sit on the side).

This change also:

* Gates SharedArrayBuffer exposure behind that primitive for web compatibility reasons.
* Gates SharedArrayBuffer sharing behind that primitive.
* Exposes it through self.crossOriginIsolated.
* Makes document.domain return before it mutates the origin.
* Makes agent clusters keyed on origin.

Tests:

* https://github.com/web-platform-tests/wpt/pull/17719
* https://github.com/web-platform-tests/wpt/pull/17760
* https://github.com/web-platform-tests/wpt/pull/17761
* https://github.com/web-platform-tests/wpt/pull/17802
* https://github.com/web-platform-tests/wpt/pull/17909
* https://github.com/web-platform-tests/wpt/pull/18543
* https://github.com/web-platform-tests/wpt/pull/20116
* https://github.com/web-platform-tests/wpt/issues/22358

Closes #4732. Closes #5122. Closes #5444.

Follow-up: #5435 (and #5362).
---
 source | 117 ++++++++++++++++++++++++++++++++++++++++-----------------
 1 file changed, 83 insertions(+), 34 deletions(-)

diff --git a/source b/source
index 150f5fd86cc..eb3dcecc753 100644
--- a/source
+++ b/source
@@ -8007,13 +8007,24 @@ interface <dfn>DOMStringList</dfn> {
       <p>If ! <span>IsSharedArrayBuffer</span>(<var>value</var>) is true, then:
 
       <ol>
+       <li><p>Let <var>agentCluster</var> be the <span>surrounding agent</span>'s
+       <span>agent cluster</span>.</p></li>
+
+       <li>
+        <p>If <var>agentCluster</var>'s <span>cross-origin isolated</span> is false, then throw a
+        <span>"<code>DataCloneError</code>"</span> <code>DOMException</code>.</p>
+
+        <p class="note">This check is only needed when serializing (and not when deserializing) as
+        <span>cross-origin isolated</span> cannot change over time and a
+        <code>SharedArrayBuffer</code> cannot leave an <span>agent cluster</span>.</p>
+       </li>
+
        <li><p>If <var>forStorage</var> is true, then throw a
        <span>"<code>DataCloneError</code>"</span> <code>DOMException</code>.</p></li>
 
        <li><p>Set <var>serialized</var> to { [[Type]]: "SharedArrayBuffer", [[ArrayBufferData]]:
        <var>value</var>.[[ArrayBufferData]], [[ArrayBufferByteLength]]: <var>size</var>,
-       [[AgentCluster]]: the <span>current Realm Record</span>'s corresponding <span>agent
-       cluster</span> }.</p></li>
+       [[AgentCluster]]: <var>agentCluster</var> }.</p></li>
       </ol>
      </li>
 
@@ -77258,10 +77269,6 @@ console.assert(iframeWindow.frameElement === null);
   <p>A <span>browsing context group</span> has a <dfn data-x="bcg cross-origin
   isolated">cross-origin isolated</dfn> boolean. It is initially false.</p>
 
-  <p class="XXX">The impact of <span data-x="bcg cross-origin isolated">cross-origin
-  isolated</span> is under discussion in <a href="https://github.com/whatwg/html/pull/4734">issue
-  #4734</a>.</p>
-
   <p>To <dfn data-x="creating a new browsing context group">create a new browsing context
   group</dfn>, run these steps:</p>
 
@@ -79679,6 +79686,9 @@ interface <dfn>BarProp</dfn> {
    a registrable domain suffix of and is not equal to</span> <var>effectiveDomain</var>, then throw
    a <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
+   <li><p>If the <span>surrounding agent</span>'s <span>agent cluster</span>'s <span>cross-origin
+   isolated</span> is true, then return.</p></li>
+
    <li><p>Set this <code>Document</code> object's <span>origin</span>'s <span
    data-x="concept-origin-domain">domain</span> to the result of <span data-x="host
    parser">parsing</span> the given value.</p></li>
@@ -86848,6 +86858,10 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
     <p>Contains various <code>Window</code> objects which can potentially reach each other, either
     directly or by using <code data-x="dom-document-domain">document.domain</code>.</p>
 
+    <p>If the encompassing <span>agent cluster</span>'s <span>cross-origin isolated</span> is true,
+    then all the <code>Window</code> objects will be <span>same origin</span>, can reach each other
+    directly, and <code data-x="dom-document-domain">document.domain</code> will no-op.</p>
+
     <p class="note">Two <code>Window</code> objects that are <span>same origin</span> can be in
     different <span data-x="similar-origin window agent">similar-origin window agents</span>, for
     instance if they are each in their own <span>browsing context group</span>.</p>
@@ -86926,6 +86940,9 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
   ensure that web developers see interoperable behavior with regard to shared memory, even in the
   face of varying and changing user agent process models.</p>
 
+  <p>An <span>agent cluster</span> has an associated <dfn>cross-origin isolated</dfn> (a boolean),
+  which is initially false.</p>
+
   <div w-nodev>
 
   <hr>
@@ -86933,44 +86950,33 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
   <p>The following defines the allocation of the <span data-x="agent cluster">agent clusters</span>
   of <span data-x="similar-origin window agent">similar-origin window agents</span>.</p>
 
-  <p>An <dfn>agent cluster key</dfn> is a <span>site</span>.</p>
-
-  <p class="XXX"><a href="https://github.com/whatwg/html/pull/4734">whatwg/html #4734</a> is
-  expected to widen <span>agent cluster key</span> (but not <span>site</span>) to encompass all
-  <span data-x="concept-origin-tuple">tuple origins</span>.</p>
-
-  <p>To <dfn data-x="obtain-agent-cluster-key">obtain an agent cluster key</dfn>, given an origin
-  <var>origin</var>, return the result of <span data-x="obtain a site">obtaining a site</span> with
-  <var>origin</var>.</p>
+  <p>An <dfn>agent cluster key</dfn> is a <span>site</span> or <span
+  data-x="concept-origin-tuple">tuple origin</span> whose <span
+  data-x="concept-origin-host">host</span>'s <span>registrable domain</span> is non-null. I.e., an
+  <span>agent cluster key</span> can be a <span>scheme-and-registrable-domain</span> or any
+  <span>origin</span>.</p>
 
   <p>To <dfn data-x="obtain-similar-origin-window-agent">obtain a similar-origin window agent</dfn>,
   given an <span>origin</span> <var>origin</var> and <span>browsing context group</span>
   <var>group</var>, run these steps:</p>
 
   <ol>
-   <li><p>Let <var>clusterKey</var> be the result of <span
-   data-x="obtain-agent-cluster-key" data-export="">obtaining an agent cluster key</span> given
-   <var>origin</var>.</p></li>
-
-   <li><p>Let <var>agentCluster</var> be the result of <span
-   data-x="obtain-browsing-agent-cluster">obtaining a browsing context agent cluster</span> with
-   <var>group</var> and <var>clusterKey</var>.</p></li>
-
-   <li><p>Return the single <span>similar-origin window agent</span> contained in
-   <var>agentCluster</var>.</p></li>
-  </ol>
+   <li><p>Let <var>clusterKey</var> be the result of <span data-x="obtain a site">obtaining a
+   site</span> with <var>origin</var>.</p></li>
 
-  <p>To <dfn data-x="obtain-browsing-agent-cluster">obtain a browsing context agent cluster</dfn>,
-  given a <span>browsing context group</span> <var>group</var> and <span>agent cluster key</span>
-  <var>key</var>, run these steps:</p>
+   <li><p>If <var>group</var>'s <span data-x="bcg cross-origin isolated">cross-origin
+   isolated</span> is true, then set <var>clusterKey</var> to <var>origin</var>.</p></li>
 
-  <ol>
    <li>
     <p>If <var>group</var>'s <span>agent cluster map</span>[<var>key</var>] <span data-x="map
-    exists">does not exist, then:</span></p>
+    exists">does not exist</span>, then:</p>
+
     <ol>
      <li><p>Let <var>agentCluster</var> be a new <span>agent cluster</span>.</p></li>
 
+     <li><p>Set <var>agentCluster</var>'s <span>cross-origin isolated</span> to <var>group</var>'s
+     <span data-x="bcg cross-origin isolated">cross-origin isolated</span>.</p></li>
+
      <li><p>Add the result of <span data-x="create an agent">creating an agent</span>, given false,
      to <var>agentCluster</var>.</p></li>
 
@@ -86979,7 +86985,8 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
     </ol>
    </li>
 
-   <li><p>Return <var>group</var>'s <span>agent cluster map</span>[<var>key</var>].</p></li>
+   <li><p>Return the single <span>similar-origin window agent</span> contained in <var>group</var>'s
+   <span>agent cluster map</span>[<var>key</var>].</p></li>
   </ol>
 
   <p class="note">This means that there is only one <span>similar-origin window agent</span> per
@@ -87333,6 +87340,26 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
    is not yet defined in the JavaScript specification; see <a
    href="https://github.com/tc39/ecma262/issues/1357">tc39/ecma262#1357</a>.</span></p></li>
 
+   <li>
+    <p>If <var>agent</var>'s <span>agent cluster</span>'s <span>cross-origin isolated</span> is
+    false, then:</p>
+
+    <ol>
+     <li><p>Let <var>global</var> be <var>realm</var>'s <span data-x="concept-realm-global">global
+     object</span>.</p></li>
+
+     <li><p>Let <var>status</var> be ! <var>global</var>.[[Delete]]("<code
+     data-x="">SharedArrayBuffer</code>").</p></li>
+
+     <li><p>Assert: <var>status</var> is true.</p></li>
+    </ol>
+
+    <p class="note">This is done for compatibility with web content and there is some hope that this
+    can be removed in the future. Web developers can still get at the constructor through
+    <code class="js" data-x="">new WebAssembly.Memory({ shared:true, initial:0, maximum:0
+    }).buffer.constructor</code>.</p>
+   </li>
+
    <li><p>Return <var>realm execution context</var>.</p></li>
   </ol>
 
@@ -92138,6 +92165,7 @@ interface mixin <dfn>DocumentAndElementEventHandlers</dfn> {
 interface mixin <dfn>WindowOrWorkerGlobalScope</dfn> {
   [Replaceable] readonly attribute USVString <span data-x="dom-origin">origin</span>;
   readonly attribute boolean <span data-x="dom-isSecureContext">isSecureContext</span>;
+  readonly attribute boolean <span data-x="dom-crossOriginIsolated">crossOriginIsolated</span>;
 
   // base64 utility methods
   DOMString <span data-x="dom-btoa">btoa</span>(DOMString data);
@@ -92161,13 +92189,19 @@ interface mixin <dfn>WindowOrWorkerGlobalScope</dfn> {
 
   <dl class="domintro">
    <dt>self . <code subdfn data-x="dom-isSecureContext">isSecureContext</code></dt>
-
    <dd><p>Returns whether or not this global object represents a <span>secure context</span>. <ref
    spec=SECURE-CONTEXTS></p></dd>
 
    <dt>self . <code subdfn data-x="dom-origin">origin</code></dt>
-
    <dd><p>Returns the global object's <span>origin</span>, serialized as string.</p></dd>
+
+   <dt>self . <code subdfn data-x="dom-crossOriginIsolated">crossOriginIsolated</code></dt>
+   <dd><p>Returns whether the <span>surrounding agent</span>'s <span>agent cluster</span> is
+   <span>cross-origin isolated</span>. This depends on the `<code
+   data-x="">Cross-Origin-Opener-Policy</code>` and `<code
+   data-x="">Cross-Origin-Embedder-Policy</code>` HTTP response headers and determines whether
+   <code>SharedArrayBuffer</code> can be used with <code data-x="">postMessage()</code>
+   APIs.</p></dd>
   </dl>
 
   <div class="example">
@@ -92198,6 +92232,10 @@ document.body.appendChild(frame)</code></pre>
   data-x="concept-settings-object-origin">origin</span>, <span data-x="serialization of an
   origin">serialized</span>.</p>
 
+  <p>The <dfn data-x="dom-crossOriginIsolated"><code>crossOriginIsolated</code></dfn> getter steps
+  are to return the <span>surrounding agent</span>'s <span>agent cluster</span>'s <span>cross-origin
+  isolated</span>.</p>
+
   </div>
 
 
@@ -99090,6 +99128,17 @@ interface <dfn>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope</span> {
      <span data-x="obtain an embedder policy">obtaining an embedder policy</span> from
      <var>response</var>.</p></li>
 
+     <li>
+      <p>If <var>worker global scope</var>'s <span
+      data-x="concept-WorkerGlobalScope-embedder-policy">embedder policy</span> is "<code
+      data-x="coep-require-corp">require-corp</code>" and <var>is shared</var> is true, then set
+      <var>agent</var>'s <span>agent cluster</span>'s <span>cross-origin isolated</span> to
+      true.</p>
+
+      <p class="XXX">This really ought to be set when the agent cluster is created, which requires a
+      redesign of this section.</p>
+     </li>
+
      <li><p>If the result of <span data-x="check a global object's embedder policy">checking a
      global object's embedder policy</span> with <var>worker global scope</var>, <var>owner</var>,
      and <var>response</var> is false, then set <var>response</var> to a <span>network