diff --git a/index.bs b/index.bs
index 7b9f25eb..cb893427 100644
--- a/index.bs
+++ b/index.bs
@@ -1008,13 +1008,15 @@ The following extended attributes are applicable to interfaces:
[{{LegacyWindowAlias}}],
[{{LegacyFactoryFunction}}],
[{{LegacyNoInterfaceObject}}],
-[{{LegacyOverrideBuiltIns}}], and
-[{{SecureContext}}].
+[{{LegacyOverrideBuiltIns}}],
+[{{SecureContext}}], and
+[{{CrossOriginIsolated}}].
The following extended attributes are applicable to [=partial interfaces=]:
[{{Exposed}}],
-[{{LegacyOverrideBuiltIns}}], and
-[{{SecureContext}}].
+[{{LegacyOverrideBuiltIns}}],
+[{{SecureContext}}], and
+[{{CrossOriginIsolated}}].
[=Interfaces=] which are not annotated
with a [{{LegacyNoInterfaceObject}}] [=extended attribute=]
@@ -1256,7 +1258,7 @@ in the ECMAScript binding.
Note that unlike [=interfaces=] or [=dictionaries=], [=interface mixins=] do not create types.
Of the extended attributes defined in this specification,
-only the [{{Exposed}}] and [{{SecureContext}}] extended attributes
+only the [{{Exposed}}], [{{SecureContext}}], and [{{CrossOriginIsolated}}] extended attributes
are applicable to [=interface mixins=].
An includes statement is a definition
@@ -1782,7 +1784,8 @@ on which they appear. It is language binding specific whether
The following extended attributes are applicable to constants:
[{{Exposed}}],
-[{{SecureContext}}].
+[{{SecureContext}}], and
+[{{CrossOriginIsolated}}].
Const :
@@ -1964,7 +1967,8 @@ The following [=extended attributes=]
are applicable to regular and static attributes:
[{{Exposed}}],
[{{SameObject}}],
-[{{SecureContext}}].
+[{{SecureContext}}], and
+[{{CrossOriginIsolated}}].
The following [=extended attributes=]
are applicable only to regular attributes:
@@ -2418,6 +2422,7 @@ The following extended attributes are applicable to operations:
[{{Exposed}}],
[{{NewObject}}],
[{{SecureContext}}],
+[{{CrossOriginIsolated}}], and
[{{LegacyUnforgeable}}].
The method steps of an operation |operation| should be introduced using text of the form
@@ -4278,7 +4283,8 @@ must not have a
The following extended attributes are applicable to [=iterable declarations=]:
[{{Exposed}}],
-[{{SecureContext}}].
+[{{SecureContext}}], and
+[{{CrossOriginIsolated}}].
Iterable :
@@ -4468,7 +4474,8 @@ must not have a [=maplike declaration=], [=setlike declaration=], or [=iterable
The following extended attributes are applicable to [=asynchronously iterable declarations=]:
[{{Exposed}}],
-[{{SecureContext}}].
+[{{SecureContext}}], and
+[{{CrossOriginIsolated}}].
Issue: these [=extended attributes=] are not currently taken into account.
When they are, the effect will be as you would expect.
@@ -4718,7 +4725,7 @@ The order that members appear in has significance for property enumeration in th
Note that unlike interfaces or dictionaries, namespaces do not create types.
-Of the extended attributes defined in this specification, only the [{{Exposed}}] and [{{SecureContext}}] extended attributes are applicable to namespaces.
+Of the extended attributes defined in this specification, only the [{{Exposed}}], [{{SecureContext}}], and [{{CrossOriginIsolated}}] extended attributes are applicable to namespaces.
[=Namespaces=] must be annotated with the [{{Exposed}}] [=extended attribute=].
@@ -9349,11 +9356,13 @@ Otherwise, it is the [=host interface=]'s [=exposure set=].
1. If |realm|.\[[GlobalObject]] does not implement an [=interface=]
that is in |construct|'s [=exposure set=], then return false.
- 1. If |construct| is [=available in both secure and non-secure contexts=],
- then return true.
- 1. If the [=relevant settings object=] of |realm|.\[[GlobalObject]] is a [=secure context=],
- then return true.
- 1. Otherwise, return false.
+ 1. If the [=relevant settings object=] of |realm|.\[[GlobalObject]] is not a
+ [=secure context=], and |construct| is [=available only in secure contexts=],
+ then return false.
+ 1. If the [=relevant settings object=] of |realm|.\[[GlobalObject]] is not
+ cross-origin isolated, and |construct| is
+ [=available only in cross-origin isolated contexts=], then return false.
+ 1. Otherwise, return true.
Note: Since it is not possible for the [=relevant settings object=]
@@ -9901,10 +9910,6 @@ on any other construct.
The [{{SecureContext}}] extended attribute must [=takes no arguments|take no arguments=].
-A construct is available in both secure and non-secure contexts if it is not
-[=available only in secure contexts=] (i.e., if no [{{SecureContext}}] extended attribute applies
-to it).
-
To check if a construct |C| is
@@ -10009,6 +10014,131 @@ that does specify [{{SecureContext}}].
+[CrossOriginIsolated]
+
+If the [{{CrossOriginIsolated}}] [=extended attribute=] appears on an
+[=interface=],
+[=partial interface=],
+[=interface mixin=],
+[=partial interface mixin=],
+[=callback interface=],
+[=namespace=],
+[=partial namespace=],
+[=interface member=],
+[=interface mixin member=], or
+[=namespace member=],
+it indicates that the construct is [=exposed=]
+only within a cross-origin isolated context.
+The [{{CrossOriginIsolated}}] extended attribute must not be used
+on any other construct.
+
+ISSUE(whatwg/html#5435): "cross-origin isolated context" ought to be defined in HTML.
+
+The [{{CrossOriginIsolated}}] extended attribute must [=takes no arguments|take no arguments=].
+
+
+
+ To check if a construct |C| is
+ available only in cross-origin isolated contexts,
+ run the following steps:
+
+ 1. Assert: |C| is an [=interface=], [=callback interface=], [=namespace=],
+ [=interface member=], [=interface mixin member=], or [=namespace member=].
+ 1. Let |H| be |C|'s [=host interface=] if |C| is an [=interface mixin member=], or null otherwise.
+ 1. If |C| is an [=interface member=], [=interface mixin member=], or [=namespace member=], then:
+ 1. If the [{{SecureContext}}] [=extended attribute=] is specified on |C|,
+ then return true.
+ 1. Otherwise, set |C| to be the
+ [=interface=], [=partial interface=],
+ [=interface mixin=], [=partial interface mixin=],
+ [=namespace=], or [=partial namespace=]
+ |C| is declared on.
+ 1. If |C| is a [=partial interface=], [=partial interface mixin=], or [=partial namespace=], then:
+ 1. If the [{{CrossOriginIsolated}}] [=extended attribute=] is specified on |C|,
+ then return true.
+ 1. Otherwise, set |C| to be the original [=interface=], [=interface mixin=], or [=namespace=]
+ definition of |C|.
+ 1. If |C| is an [=interface mixin=], then:
+ 1. If the [{{CrossOriginIsolated}}] [=extended attribute=] is specified on |C|,
+ then return true.
+ 1. Otherwise, set |C| to |H|.
+ 1. Assert: |C| is an [=interface=], [=callback interface=] or [=namespace=].
+ 1. If the [{{CrossOriginIsolated}}] [=extended attribute=] is specified on |C|,
+ then return true.
+ 1. Otherwise, return false.
+
+
+Note: Whether a construct is [=available only in cross-origin isolated contexts=]
+influences whether it is [=exposed=] in a given [=Realm=].
+
+If [{{CrossOriginIsolated}}] appears on an [=overloaded=] [=operation=],
+then it must appear on all overloads.
+
+The [{{CrossOriginIsolated}}] [=extended attribute=] must not be specified both on
+
+* an [=interface member=] and its [=interface=] or [=partial interface=];
+* an [=interface mixin member=] and its [=interface mixin=] or [=partial interface mixin=];
+* a [=namespace member=] and its [=namespace=] or [=partial namespace=].
+
+Note: This is because adding the [{{CrossOriginIsolated}}] [=extended attribute=] on a [=member=]
+when its containing definition is also annotated with the [{{CrossOriginIsolated}}]
+[=extended attribute=] does not further restrict the exposure of the [=member=].
+
+An [=interface=] without the [{{CrossOriginIsolated}}] [=extended attribute=]
+must not [=interface/inherit=] from another interface
+that does specify [{{CrossOriginIsolated}}].
+
+
+
+ The following [=IDL fragment=] defines an interface with one [=operation=] that is executable
+ from all contexts, and two which are executable only from cross-origin isolated contexts.
+
+
+ [Exposed=Window]
+ interface PowerfulFeature {
+ // This call will succeed in all contexts.
+ Promise <Result> calculateNotSoSecretResult();
+
+ // This operation will not be exposed to a non-isolated context. In such a context,
+ // there will be no "calculateSecretResult" property on PowerfulFeature.prototype.
+ [CrossOriginIsolated] Promise<Result> calculateSecretResult();
+
+ // The same applies here: the attribute will not be exposed to a non-isolated context,
+ // and in a non-secure context there will be no "secretBoolean" property on
+ // PowerfulFeature.prototype.
+ [CrossOriginIsolated] readonly attribute boolean secretBoolean;
+ };
+
+ // HighResolutionTimer will not be exposed in a non-isolated context, nor will its members.
+ // In such a context, there will be no "HighResolutionTimer" property on Window.
+ [CrossOriginIsolated]
+ interface HighResolutionTimer {
+ DOMHighResTimeStamp getHighResolutionTime();
+ };
+
+ // The interface mixin members defined below will never be exposed in a non-isolated context,
+ // regardless of whether the interface that includes them is.
+ // In a non-isolated context, there will be no "snap" property on
+ // PowerfulFeature.prototype.
+ [CrossOriginIsolated]
+ interface mixin Snapshotable {
+ Promise<boolean> snap();
+ };
+ PowerfulFeature includes Snapshotable;
+
+ // On the other hand, the following interface mixin members will be exposed
+ // to a non-isolated context when included by a host interface
+ // that doesn't have the [CrossOriginIsolated] extended attribute.
+ // In a non-secure context, there will be a "log" property on
+ // PowerfulFeatures.prototype.
+ interface mixin Loggable {
+ Promise<boolean> log();
+ };
+ PowerfulFeatures includes Loggable;
+
+
[Unscopable]
If the [{{Unscopable}}]