From 50ebcb40bcca0a279ae1825cd5aea536af64250d Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Thu, 2 Jan 2020 18:29:16 +0100 Subject: [PATCH 1/5] Add the cross-origin isolated primitive A top-level navigation response with Cross-Origin-Opener-Policy set to same-origin and Cross-Origin-Embedder-Policy set to require-corp will create a cross-origin isolated browsing context group. And all agent clusters therein will be cross-origin isolated as well (shared and service workers can still not be, as they sit on the side). This change also: * Gates SharedArrayBuffer exposure behind that primitive for web compatibility reasons. * Gates SharedArrayBuffer sharing behind that primitive. * Exposes it through self.crossOriginIsolated. * Makes document.domain return before it mutates the origin. * Makes agent clusters keyed on origin. Tests: * https://github.com/web-platform-tests/wpt/pull/17719 * https://github.com/web-platform-tests/wpt/pull/17760 * https://github.com/web-platform-tests/wpt/pull/17761 * https://github.com/web-platform-tests/wpt/pull/17802 * https://github.com/web-platform-tests/wpt/pull/17909 * https://github.com/web-platform-tests/wpt/pull/18543 * https://github.com/web-platform-tests/wpt/pull/20116 * https://github.com/web-platform-tests/wpt/issues/22358 Closes #4732. Closes #5122. Closes #5444. Follow-up: #5435. --- source | 111 ++++++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 78 insertions(+), 33 deletions(-) diff --git a/source b/source index a29e1f7a8ef..081b7b16520 100644 --- a/source +++ b/source @@ -8002,13 +8002,24 @@ interface DOMStringList {

If ! IsSharedArrayBuffer(value) is true, then:

    +
  1. Let agentCluster be the surrounding agent's + agent cluster.

  2. + +
  3. +

    If agentCluster's cross-origin isolated is false, then throw a + "DataCloneError" DOMException.

    + +

    This check is only needed when serializing (and not when deserializing) as + cross-origin isolated cannot change over time and a + SharedArrayBuffer cannot leave an agent cluster.

    +
  4. +
  5. If forStorage is true, then throw a "DataCloneError" DOMException.

  6. Set serialized to { [[Type]]: "SharedArrayBuffer", [[ArrayBufferData]]: value.[[ArrayBufferData]], [[ArrayBufferByteLength]]: size, - [[AgentCluster]]: the current Realm Record's corresponding agent - cluster }.

  7. + [[AgentCluster]]: agentCluster }.

@@ -77229,10 +77240,6 @@ console.assert(iframeWindow.frameElement === null);

A browsing context group has a cross-origin isolated boolean. It is initially false.

-

The impact of cross-origin - isolated is under discussion in issue - #4734.

-

To create a new browsing context group, run these steps:

@@ -79650,6 +79657,9 @@ interface BarProp { a registrable domain suffix of and is not equal to effectiveDomain, then throw a "SecurityError" DOMException.

+
  • If the surrounding agent's agent cluster's cross-origin + isolated is true, then return.

  • +
  • Set this Document object's origin's domain to the result of parsing the given value.

  • @@ -86819,6 +86829,10 @@ interface ApplicationCache : EventTarget {

    Contains various Window objects which can potentially reach each other, either directly or by using document.domain.

    +

    If the encompassing agent cluster's cross-origin isolated is true, + then all the Window objects will be same origin, can reach each other, + and document.domain will no-op.

    +

    Two Window objects that are same origin can be in different similar-origin window agents, for instance if they are each in their own browsing context group.

    @@ -86897,6 +86911,10 @@ interface ApplicationCache : EventTarget { ensure that web developers see interoperable behavior with regard to shared memory, even in the face of varying and changing user agent process models.

    +

    An agent cluster has an associated cross-origin isolated (a boolean), + which is initially false.

    + +

    @@ -86904,44 +86922,33 @@ interface ApplicationCache : EventTarget {

    The following defines the allocation of the agent clusters of similar-origin window agents.

    -

    An agent cluster key is a site.

    - -

    whatwg/html #4734 is - expected to widen agent cluster key (but not site) to encompass all - tuple origins.

    - -

    To obtain an agent cluster key, given an origin - origin, return the result of obtaining a site with - origin.

    +

    An agent cluster key is a site or tuple origin whose host's registrable domain is non-null. I.e., an + agent cluster key can be any origin.

    To obtain a similar-origin window agent, given an origin origin and browsing context group group, run these steps:

      -
    1. Let clusterKey be the result of obtaining an agent cluster key given - origin.

    2. - -
    3. Let agentCluster be the result of obtaining a browsing context agent cluster with - group and clusterKey.

    4. +
    5. Let clusterKey be the result of obtaining a + site with origin.

    6. -
    7. Return the single similar-origin window agent contained in - agentCluster.

    8. -
    - -

    To obtain a browsing context agent cluster, - given a browsing context group group and agent cluster key - key, run these steps:

    +
  • If group's cross-origin + isolated is true, then set clusterKey to origin.

  • -
    1. If group's agent cluster map[key] does not exist, then:

      +
      1. Let agentCluster be a new agent cluster.

      2. +
      3. If group's cross-origin + isolated is true, then set agentCluster's cross-origin isolated + to true.

      4. +
      5. Add the result of creating an agent, given false, to agentCluster.

      6. @@ -86950,7 +86957,8 @@ interface ApplicationCache : EventTarget {
    2. -
    3. Return group's agent cluster map[key].

    4. +
    5. Return the single similar-origin window agent contained in group's + agent cluster map[key].

    This means that there is only one similar-origin window agent per @@ -87304,6 +87312,19 @@ interface ApplicationCache : EventTarget { is not yet defined in the JavaScript specification; see tc39/ecma262#1357.

    +
  • Let crossOriginIsolated be agent's agent cluster's + cross-origin isolated.

  • + +
  • +

    If crossOriginIsolated is false, then remove the own property with name "SharedArrayBuffer" from realm's global object.

    + +

    This is done for compatibility with web content and there is some hope that this + can be removed in the future. Web developers can still get at the constructor through + new WebAssembly.Memory({ shared:true, initial:0, maximum:0 + }).buffer.constructor.

    +
  • +
  • Return realm execution context.

  • @@ -92109,6 +92130,7 @@ interface mixin DocumentAndElementEventHandlers { interface mixin WindowOrWorkerGlobalScope { [Replaceable] readonly attribute USVString origin; readonly attribute boolean isSecureContext; + readonly attribute boolean crossOriginIsolated; // base64 utility methods DOMString btoa(DOMString data); @@ -92132,13 +92154,21 @@ interface mixin WindowOrWorkerGlobalScope {
    self . isSecureContext
    -

    Returns whether or not this global object represents a secure context.

    self . origin
    -

    Returns the global object's origin, serialized as string.

    + +
    self . crossOriginIsolated
    +
    +

    Returns the surrounding agent's agent cluster's cross-origin + isolated.

    + +

    (This value depends on the Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy HTTP response headers and determines whether + SharedArrayBuffer can be used with postMessage() APIs.)

    +
    @@ -92169,6 +92199,10 @@ document.body.appendChild(frame) data-x="concept-settings-object-origin">origin, serialized.

    +

    The crossOriginIsolated attribute's + getter must return the surrounding agent's agent cluster's + cross-origin isolated.

    +
    @@ -99061,6 +99095,17 @@ interface SharedWorkerGlobalScope : WorkerGlobalScope { obtaining an embedder policy from response.

    +
  • +

    If worker global scope's embedder policy is "require-corp" and is shared is true, then set + agent's agent cluster's cross-origin isolated to + true.

    + +

    This really ought to be set when the agent cluster is created, which requires a + redesign of this section.

    +
  • +
  • If the result of checking a global object's embedder policy with worker global scope, owner, and response is false, then set response to a network From 4e5a00c369f43927818ba0a29cda1da9e3b9a314 Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Mon, 29 Jun 2020 17:52:28 +0200 Subject: [PATCH 2/5] address feedback --- source | 28 +++++++++++++--------------- 1 file changed, 13 insertions(+), 15 deletions(-) diff --git a/source b/source index 081b7b16520..ad7a0de6731 100644 --- a/source +++ b/source @@ -86830,8 +86830,8 @@ interface ApplicationCache : EventTarget { directly or by using document.domain.

    If the encompassing agent cluster's cross-origin isolated is true, - then all the Window objects will be same origin, can reach each other, - and document.domain will no-op.

    + then all the Window objects will be same origin, can reach each other + directly, and document.domain will no-op.

    Two Window objects that are same origin can be in different similar-origin window agents, for @@ -86925,7 +86925,8 @@ interface ApplicationCache : EventTarget {

    An agent cluster key is a site or tuple origin whose host's registrable domain is non-null. I.e., an - agent cluster key can be any origin.

    + agent cluster key can be a scheme-and-registrable-domain or any + origin.

    To obtain a similar-origin window agent, given an origin origin and browsing context group @@ -86940,14 +86941,13 @@ interface ApplicationCache : EventTarget {

  • If group's agent cluster map[key] does not exist, then:

    + exists">does not exist, then:

    1. Let agentCluster be a new agent cluster.

    2. -
    3. If group's cross-origin - isolated is true, then set agentCluster's cross-origin isolated - to true.

    4. +
    5. Set agentCluster's cross-origin isolated to group's + cross-origin isolated.

    6. Add the result of creating an agent, given false, to agentCluster.

    7. @@ -92161,14 +92161,12 @@ interface mixin WindowOrWorkerGlobalScope {

      Returns the global object's origin, serialized as string.

      self . crossOriginIsolated
      -
      -

      Returns the surrounding agent's agent cluster's cross-origin - isolated.

      - -

      (This value depends on the Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy HTTP response headers and determines whether - SharedArrayBuffer can be used with postMessage() APIs.)

      -
      +

      Returns whether the surrounding agent's agent cluster is + cross-origin isolated. This depends on the `Cross-Origin-Opener-Policy` and `Cross-Origin-Embedder-Policy` HTTP response headers and determines whether + SharedArrayBuffer can be used with postMessage() + APIs.

      From fd3f73aecf25eafc02c59dd495663341d281f420 Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Tue, 7 Jul 2020 12:36:46 +0200 Subject: [PATCH 3/5] getter steps --- source | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/source b/source index ad7a0de6731..681726f413a 100644 --- a/source +++ b/source @@ -92197,9 +92197,9 @@ document.body.appendChild(frame) data-x="concept-settings-object-origin">origin, serialized.

      -

      The crossOriginIsolated attribute's - getter must return the surrounding agent's agent cluster's - cross-origin isolated.

      +

      The crossOriginIsolated getter steps + are to return the surrounding agent's agent cluster's cross-origin + isolated.

      From 522b16eed977c391cbc3765f6b0fcbbac5a20643 Mon Sep 17 00:00:00 2001 From: Domenic Denicola Date: Tue, 7 Jul 2020 14:34:24 -0400 Subject: [PATCH 4/5] More precise SAB deletion --- source | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/source b/source index 681726f413a..c2e937021e3 100644 --- a/source +++ b/source @@ -87312,16 +87312,23 @@ interface ApplicationCache : EventTarget { is not yet defined in the JavaScript specification; see tc39/ecma262#1357.

      -
    8. Let crossOriginIsolated be agent's agent cluster's - cross-origin isolated.

    9. -
    10. -

      If crossOriginIsolated is false, then remove the own property with name "SharedArrayBuffer" from realm's global object.

      +

      If agent's agent cluster's cross-origin isolated is + false, then:

      + +
        +
      1. Let global be realm's global + object.

      2. + +
      3. Let status be ! global.[[Delete]]("SharedArrayBuffer").

      4. + +
      5. Assert: status is true.

      6. +

      This is done for compatibility with web content and there is some hope that this can be removed in the future. Web developers can still get at the constructor through - new WebAssembly.Memory({ shared:true, initial:0, maximum:0 + new WebAssembly.Memory({ shared:true, initial:0, maximum:0 }).buffer.constructor.

    11. From f1e41e57ef2872a35dd1c8e725a24314bd981890 Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Wed, 8 Jul 2020 10:59:31 +0200 Subject: [PATCH 5/5] nit --- source | 1 - 1 file changed, 1 deletion(-) diff --git a/source b/source index c2e937021e3..6bbdc078d3d 100644 --- a/source +++ b/source @@ -86914,7 +86914,6 @@ interface ApplicationCache : EventTarget {

      An agent cluster has an associated cross-origin isolated (a boolean), which is initially false.

      -