From 00564b8c5f510952208420857d1737e5ea2cca02 Mon Sep 17 00:00:00 2001
From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 25 Jun 2019 17:12:37 +0200
Subject: [PATCH] Raise the bar for SharedArrayBuffer via postMessage()

This depends on the work to add Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy. It specifies how postMessage() is affected when both those headers are set for the agent clusters they impact.

Closes #4732.
---
 source | 46 ++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 44 insertions(+), 2 deletions(-)

diff --git a/source b/source
index 140a2eb94fa..5918b2bda28 100644
--- a/source
+++ b/source
@@ -8301,13 +8301,26 @@ interface <dfn>DOMStringList</dfn> {
       <p>If ! <span>IsSharedArrayBuffer</span>(<var>value</var>) is true, then:
 
       <ol>
+       <li><p>Let <var>agentCluster</var> be <span>surrounding agent</span>'s
+       <span>agent cluster</span>.</p></li>
+
+       <li>
+        <p>If <var>agentCluster</var>'s <dfn>cross-origin isolated</dfn> is false, then throw a
+        <!-- TODO: this is not the place to <dfn> this, but doing this for now so the build does not
+             fail -->
+        <span>"<code>DataCloneError</code>"</span> <code>DOMException</code>.</p>
+
+        <p class="note">This check is only needed when serializing (and not when deserializing) as
+        <span>cross-origin isolated</span> cannot change over time and a
+        <code>SharedArrayBuffer</code> cannot leave an <span>agent cluster</span>.</p>
+       </li>
+
        <li><p>If <var>forStorage</var> is true, then throw a
        <span>"<code>DataCloneError</code>"</span> <code>DOMException</code>.</p></li>
 
        <li><p>Set <var>serialized</var> to { [[Type]]: "SharedArrayBuffer", [[ArrayBufferData]]:
        <var>value</var>.[[ArrayBufferData]], [[ArrayBufferByteLength]]: <var>size</var>,
-       [[AgentCluster]]: the <span>current Realm Record</span>'s corresponding <span>agent
-       cluster</span> }.</p></li>
+       [[AgentCluster]]: <var>agentCluster</var> }.</p></li>
       </ol>
      </li>
 
@@ -95774,6 +95787,9 @@ dictionary <dfn>ImageBitmapOptions</dfn> {
   are:</p>
 
   <ol>
+   <li><p>Set <var>serialized</var>.[[CrossOriginIsolated]] to <span>surrounding agent</span>'s
+   <span>agent cluster</span>'s <span>cross-origin isolated</span>.</p></li>
+
    <li><p>Set <var>serialized</var>.[[BitmapData]] to a copy of <var>value</var>'s <span
    data-x="concept-ImageBitmap-bitmap-data">bitmap data</span>.</p></li>
 
@@ -95786,6 +95802,17 @@ dictionary <dfn>ImageBitmapOptions</dfn> {
   are:</p>
 
   <ol>
+   <li>
+    <p>If <var>serialized</var>.[[OriginClean]] is false,
+    <var>serialized</var>.[[CrossOriginIsolated]] is false, and <span>surrounding agent</span>'s
+    <span>agent cluster</span>'s <span>cross-origin isolated</span> is true, then throw a
+    <span>"<code>DataCloneError</code>"</span> <code>DOMException</code>.</p>
+
+    <p class="warning">To truly protect against sidechannel attacks implementations should avoid
+    transmitting <var>serialized</var>.[[BitmapData]] to the <span>surrounding agent</span>'s
+    <span>agent cluster</span> under the above conditions.</p>
+   </li>
+
    <li><p>Set <var>value</var>'s <span data-x="concept-ImageBitmap-bitmap-data">bitmap data</span>
    to <var>serialized</var>.[[BitmapData]].</p></li>
 
@@ -95796,6 +95823,9 @@ dictionary <dfn>ImageBitmapOptions</dfn> {
   <p>Their <span>transfer steps</span>, given <var>value</var> and <var>dataHolder</var>, are:</p>
 
   <ol>
+   <li><p>Set <var>dataHolder</var>.[[CrossOriginIsolated]] to <span>surrounding agent</span>'s
+   <span>agent cluster</span>'s <span>cross-origin isolated</span>.</p></li>
+
    <li><p>Set <var>dataHolder</var>.[[BitmapData]] to <var>value</var>'s <span
    data-x="concept-ImageBitmap-bitmap-data">bitmap data</span>.</p></li>
 
@@ -95811,6 +95841,18 @@ dictionary <dfn>ImageBitmapOptions</dfn> {
   are:</p>
 
   <ol>
+   <li>
+    <p>If <var>dataHolder</var>.[[OriginClean]] is false,
+    <var>dataHolder</var>.[[CrossOriginIsolated]] is false, and <span>surrounding agent</span>'s
+    <span>agent cluster</span>'s <span>cross-origin isolated</span> is true, then throw a
+    <span>"<code>DataCloneError</code>"</span> <code>DOMException</code>.</p>
+    <!-- E.g., when a COEP shared worker receives an ImageBitmap from a non-COOP+COEP window. -->
+
+    <p class="warning">To truly protect against sidechannel attacks implementations should avoid
+    sharing <var>dataHolder</var>.[[BitmapData]] with <span>surrounding agent</span>'s
+    <span>agent cluster</span> under the above conditions.</p>
+   </li>
+
    <li><p>Set <var>value</var>'s <span data-x="concept-ImageBitmap-bitmap-data">bitmap data</span>
    to <var>dataHolder</var>.[[BitmapData]].</p></li>