Define the [CrossOriginIsolated] extended attribute.

WebIDL currently defines a `[SecureContext]` extended attribute that
governs whether or not a given construct is exposed within a given
context. This patch defines a similar `[CrossOriginIsolated]` attribute
to govern exposure based on cross-origin isolation.

This supports the broader Securer Contexts proposal
(https://github.com/mikewest/securer-contexts), which aims to guide
spec authors to combat threats we've started paying more attention to
over the last few years.

Closes whatwg#875.

index.bs

@@ -1008,13 +1008,15 @@ The following extended attributes are applicable to interfaces:
 [{{LegacyWindowAlias}}],
 [{{LegacyFactoryFunction}}],
 [{{LegacyNoInterfaceObject}}],
-[{{LegacyOverrideBuiltIns}}], and
-[{{SecureContext}}].
+[{{LegacyOverrideBuiltIns}}],
+[{{SecureContext}}], and
+[{{CrossOriginIsolated}}].
 
 The following extended attributes are applicable to [=partial interfaces=]:
 [{{Exposed}}],
-[{{LegacyOverrideBuiltIns}}], and
-[{{SecureContext}}].
+[{{LegacyOverrideBuiltIns}}],
+[{{SecureContext}}], and
+[{{CrossOriginIsolated}}].
 
 [=Interfaces=] which are not annotated
 with a [{{LegacyNoInterfaceObject}}] [=extended attribute=]
@@ -1256,7 +1258,7 @@ in the <a href="#es-namespaces">ECMAScript binding</a>.
 Note that unlike [=interfaces=] or [=dictionaries=], [=interface mixins=] do not create types.
 
 Of the extended attributes defined in this specification,
-only the [{{Exposed}}] and [{{SecureContext}}] extended attributes
+only the [{{Exposed}}], [{{SecureContext}}], and [{{CrossOriginIsolated}}] extended attributes
 are applicable to [=interface mixins=].
 
 An <dfn>includes statement</dfn> is a definition
@@ -1782,7 +1784,8 @@ on which they appear.  It is language binding specific whether
 
 The following extended attributes are applicable to constants:
 [{{Exposed}}],
-[{{SecureContext}}].
+[{{SecureContext}}], and
+[{{CrossOriginIsolated}}].
 
 <pre class="grammar" id="prod-Const">
     Const :
@@ -1964,7 +1967,8 @@ The following [=extended attributes=]
 are applicable to regular and static attributes:
 [{{Exposed}}],
 [{{SameObject}}],
-[{{SecureContext}}].
+[{{SecureContext}}], and
+[{{CrossOriginIsolated}}].
 
 The following [=extended attributes=]
 are applicable only to regular attributes:
@@ -2418,6 +2422,7 @@ The following extended attributes are applicable to operations:
 [{{Exposed}}],
 [{{NewObject}}],
 [{{SecureContext}}],
+[{{CrossOriginIsolated}}], and
 [{{LegacyUnforgeable}}].
 
 The <dfn>method steps</dfn> of an operation |operation| should be introduced using text of the form
@@ -4278,7 +4283,8 @@ must not have a
 
 The following extended attributes are applicable to [=iterable declarations=]:
 [{{Exposed}}],
-[{{SecureContext}}].
+[{{SecureContext}}], and
+[{{CrossOriginIsolated}}].
 
 <pre class="grammar" id="prod-Iterable">
     Iterable :
@@ -4468,7 +4474,8 @@ must not have a [=maplike declaration=], [=setlike declaration=], or [=iterable
 
 The following extended attributes are applicable to [=asynchronously iterable declarations=]:
 [{{Exposed}}],
-[{{SecureContext}}].
+[{{SecureContext}}], and
+[{{CrossOriginIsolated}}].
 
 Issue: these [=extended attributes=] are not currently taken into account.
 When they are, the effect will be as you would expect.
@@ -4718,7 +4725,7 @@ The order that members appear in has significance for property enumeration in th
 
 Note that unlike interfaces or dictionaries, namespaces do not create types.
 
-Of the extended attributes defined in this specification, only the [{{Exposed}}] and [{{SecureContext}}] extended attributes are applicable to namespaces.
+Of the extended attributes defined in this specification, only the [{{Exposed}}], [{{SecureContext}}], and [{{CrossOriginIsolated}}] extended attributes are applicable to namespaces.
 
 [=Namespaces=] must be annotated with the [{{Exposed}}] [=extended attribute=].
 
@@ -9349,11 +9356,13 @@ Otherwise, it is the [=host interface=]'s [=exposure set=].
 
     1.  If |realm|.\[[GlobalObject]] does not implement an [=interface=]
         that is in |construct|'s [=exposure set=], then return false.
-    1.  If |construct| is [=available in both secure and non-secure contexts=],
-        then return true.
-    1.  If the [=relevant settings object=] of |realm|.\[[GlobalObject]] is a [=secure context=],
-        then return true.
-    1.  Otherwise, return false.
+    1.  If the [=relevant settings object=] of |realm|.\[[GlobalObject]] is not a
+        [=secure context=], and |construct| is [=available only in secure contexts=],
+        then return false.
+    1.  If the [=relevant settings object=] of |realm|.\[[GlobalObject]] is not
+        cross-origin isolated, and |construct| is
+        [=available only in cross-origin isolated contexts=], then return false.
+    1.  Otherwise, return true.
 </div>
 
 Note: Since it is not possible for the [=relevant settings object=]
@@ -9901,10 +9910,6 @@ on any other construct.
 
 The [{{SecureContext}}] extended attribute must [=takes no arguments|take no arguments=].
 
-A construct is <dfn export>available in both secure and non-secure contexts</dfn> if it is not
-[=available only in secure contexts=] (i.e., if no [{{SecureContext}}] extended attribute applies
-to it).
-
 <div algorithm>
 
     To check if a construct |C| is
@@ -10009,6 +10014,131 @@ that does specify [{{SecureContext}}].
 </div>
 
 
+<h4 id="CrossOriginIsolated" extended-attribute lt="CrossOriginIsolated">[CrossOriginIsolated]</h4>
+
+If the [{{CrossOriginIsolated}}] [=extended attribute=] appears on an
+[=interface=],
+[=partial interface=],
+[=interface mixin=],
+[=partial interface mixin=],
+[=callback interface=],
+[=namespace=],
+[=partial namespace=],
+[=interface member=],
+[=interface mixin member=], or
+[=namespace member=],
+it indicates that the construct is [=exposed=]
+only within a cross-origin isolated context.
+The [{{CrossOriginIsolated}}] extended attribute must not be used
+on any other construct.
+
+ISSUE(whatwg/html#5435): "cross-origin isolated context" ought to be defined in HTML.
+
+The [{{CrossOriginIsolated}}] extended attribute must [=takes no arguments|take no arguments=].
+
+<div algorithm>
+
+    To check if a construct |C| is
+    <dfn id="dfn-available-only-in-cross-origin-isolated-contexts" export>available only in cross-origin isolated contexts</dfn>,
+    run the following steps:
+
+    1.  Assert: |C| is an [=interface=], [=callback interface=], [=namespace=],
+        [=interface member=], [=interface mixin member=], or [=namespace member=].
+    1.  Let |H| be |C|'s [=host interface=] if |C| is an [=interface mixin member=], or null otherwise.
+    1.  If |C| is an [=interface member=], [=interface mixin member=], or [=namespace member=], then:
+        1.  If the [{{SecureContext}}] [=extended attribute=] is specified on |C|,
+            then return true.
+        1.  Otherwise, set |C| to be the
+            [=interface=], [=partial interface=],
+            [=interface mixin=], [=partial interface mixin=],
+            [=namespace=], or [=partial namespace=]
+            |C| is declared on.
+    1.  If |C| is a [=partial interface=], [=partial interface mixin=], or [=partial namespace=], then:
+        1.  If the [{{CrossOriginIsolated}}] [=extended attribute=] is specified on |C|,
+            then return true.
+        1.  Otherwise, set |C| to be the original [=interface=], [=interface mixin=], or [=namespace=]
+            definition of |C|.
+    1.  If |C| is an [=interface mixin=], then:
+        1.  If the [{{CrossOriginIsolated}}] [=extended attribute=] is specified on |C|,
+            then return true.
+        1.  Otherwise, set |C| to |H|.
+    1.  Assert: |C| is an [=interface=], [=callback interface=] or [=namespace=].
+    1.  If the [{{CrossOriginIsolated}}] [=extended attribute=] is specified on |C|,
+        then return true.
+    1.  Otherwise, return false.
+</div>
+
+Note: Whether a construct is [=available only in cross-origin isolated contexts=]
+influences whether it is [=exposed=] in a given [=Realm=].
+
+If [{{CrossOriginIsolated}}] appears on an [=overloaded=] [=operation=],
+then it must appear on all overloads.
+
+The [{{CrossOriginIsolated}}] [=extended attribute=] must not be specified both on
+
+* an [=interface member=] and its [=interface=] or [=partial interface=];
+* an [=interface mixin member=] and its [=interface mixin=] or [=partial interface mixin=];
+* a [=namespace member=] and its [=namespace=] or [=partial namespace=].
+
+Note: This is because adding the [{{CrossOriginIsolated}}] [=extended attribute=] on a [=member=]
+when its containing definition is also annotated with the [{{CrossOriginIsolated}}]
+[=extended attribute=] does not further restrict the exposure of the [=member=].
+
+An [=interface=] without the [{{CrossOriginIsolated}}] [=extended attribute=]
+must not [=interface/inherit=] from another interface
+that does specify [{{CrossOriginIsolated}}].
+
+<div class="example">
+
+    The following [=IDL fragment=] defines an interface with one [=operation=] that is executable
+    from all contexts, and two which are executable only from cross-origin isolated contexts.
+
+    <pre highlight="webidl">
+        [Exposed=Window]
+        interface PowerfulFeature {
+          // This call will succeed in all contexts.
+          Promise &lt;Result&gt; calculateNotSoSecretResult();
+
+          // This operation will not be exposed to a non-isolated context. In such a context,
+          // there will be no "calculateSecretResult" property on PowerfulFeature.prototype.
+          [CrossOriginIsolated] Promise&lt;Result&gt; calculateSecretResult();
+
+          // The same applies here: the attribute will not be exposed to a non-isolated context,
+          // and in a non-secure context there will be no "secretBoolean" property on
+          // PowerfulFeature.prototype.
+          [CrossOriginIsolated] readonly attribute boolean secretBoolean;
+        };
+
+        // HighResolutionTimer will not be exposed in a non-isolated context, nor will its members.
+        // In such a context, there will be no "HighResolutionTimer" property on Window.
+        [CrossOriginIsolated]
+        interface HighResolutionTimer {
+          DOMHighResTimeStamp getHighResolutionTime();
+        };
+
+        // The interface mixin members defined below will never be exposed in a non-isolated context,
+        // regardless of whether the interface that includes them is.
+        // In a non-isolated context, there will be no "snap" property on
+        // PowerfulFeature.prototype.
+        [CrossOriginIsolated]
+        interface mixin Snapshotable {
+          Promise&lt;boolean&gt; snap();
+        };
+        PowerfulFeature includes Snapshotable;
+
+        // On the other hand, the following interface mixin members will be exposed
+        // to a non-isolated context when included by a host interface
+        // that doesn't have the [CrossOriginIsolated] extended attribute.
+        // In a non-secure context, there will be a "log" property on
+        // PowerfulFeatures.prototype.
+        interface mixin Loggable {
+          Promise&lt;boolean&gt; log();
+        };
+        PowerfulFeatures includes Loggable;
+    </pre>
+</div>
+
+
 <h4 id="Unscopable" extended-attribute lt="Unscopable">[Unscopable]</h4>
 
 If the [{{Unscopable}}]