Skip to content

Commit

Permalink
Make COOP+COEP do not imply crossOriginIsolated.
Browse files Browse the repository at this point in the history 
The [specification] currently requires [COOP] + [COEP] to give access to
crossOriginIsolated capabilities like SharedArrayBuffer.

Some platforms can't easily support multiple processes (like Android
Webview). Therefore, they can't really support crossOriginIsolated.
However the are no strong reasons for them not to enforce COEP (and
maybe COOP) when their associated headers are present.

It would be great enforcing COEP (and maybe COOP) on all platforms,
desptie the lack of crossOriginIsolated capabilities.

This patch makes the specification to allow (instead of requiring)
platform to set the crossOriginIsolated flag when both COOP and COEP are
used.

Setting crossOriginIsolated becomes platform dependent. In exchange, we
can enforce COEP (and COOP) in a non platform dependent way, without
conflicting with the specification about crossOriginIsolated.

[Bug]: #6060

[specification]:
https://html.spec.whatwg.org/#cross-origin-opener-policies

[COOP]:
https://html.spec.whatwg.org/#cross-origin-opener-policy

[COEP]:
https://html.spec.whatwg.org/#coep
  • Loading branch information
@ArthurSonzogni
ArthurSonzogni committed Dec 15, 2020
1 parent 7023892 commit 9c0351e
Showing 1 changed file with 110 additions and 41 deletions.
151 changes: 110 additions & 41 deletions source
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8088,15 +8088,6 @@ interface <dfn>DOMStringList</dfn> {
<li><p>Let <var>agentCluster</var> be the <span>surrounding agent</span>'s
<span>agent cluster</span>.</p></li>

<li>
<p>If <var>agentCluster</var>'s <span>cross-origin isolated</span> is false, then throw a
<span>"<code>DataCloneError</code>"</span> <code>DOMException</code>.</p>

<p class="note">This check is only needed when serializing (and not when deserializing) as
<span>cross-origin isolated</span> cannot change over time and a
<code>SharedArrayBuffer</code> cannot leave an <span>agent cluster</span>.</p>
</li>

<li><p>If <var>forStorage</var> is true, then throw a
<span>"<code>DataCloneError</code>"</span> <code>DOMException</code>.</p></li>

Expand Down Expand Up @@ -8513,6 +8504,18 @@ o.myself = o;</code></pre>
<var>serialized</var>.[[AgentCluster]], then then throw a
<span>"<code>DataCloneError</code>"</span> <code>DOMException</code>.</p></li>

<li><p>If <var>targetRealm</var>'s <span
data-x="concept-settings-object-cross-origin-isolated-capability"
>cross-origin isolated capability</span> is false, then throw
<span>"<code>DataCloneError</code>"</span> <code>DOMException</code>.</p>

<p class="note">This check is only needed when deserializing (and not when serializing) as
<span data-x="concept-settings-object-cross-origin-isolated-capability">
cross-origin isolated capability</span> cannot change over time and a
<code>SharedArrayBuffer</code> cannot leave an <span>agent
cluster</span>.</p>
</li>

<li><p>Otherwise, set <var>value</var> to a new SharedArrayBuffer object in
<var>targetRealm</var> whose [[ArrayBufferData]] internal slot value is
<var>serialized</var>.[[ArrayBufferData]] and whose [[ArrayBufferByteLength]] internal slot
Expand Down Expand Up @@ -77984,8 +77987,43 @@ console.assert(iframeWindow.frameElement === null);
keys</span> to <span data-x="agent cluster">agent clusters</span>). User agents are responsible
for collecting agent clusters when it is deemed that nothing can access them anymore.</p>

<p>A <span>browsing context group</span> has a <dfn data-x="bcg cross-origin
isolated">cross-origin isolated</dfn> boolean. It is initially false.</p>
<p>A <span>browsing context group</span> has a <dfn><var
data-x="bcg-cross-origin-isolation">cross-origin-isolation</var></dfn> variable of type
<span>cross-origin-isolation</span>. Initially set to"<code
data-x="cross-origin-isolation-none">isolation-none</code>"</p>

<p>A <dfn>cross-origin-isolation</dfn> type can take 3 possible values: </p>
<ul>
<li><dfn><code data-x="cross-origin-isolation-none">isolation-none</code></dfn></li>
<li><dfn><code data-x="cross-origin-isolation-logical">isolation-logical</code></dfn></li>
<li><dfn><code data-x="cross-origin-isolation-concrete">isolation-concrete</code></dfn></li>
</ul>

<div class="note">
<p>
<code data-x="cross-origin-isolation-logical">isolation-logical</code> and
<code data-x="cross-origin-isolation-concrete">isolation-concrete</code> are similar. They are both used
for <span>browsing context group</span>, where:
</p>
<ul>
<li><p>Every top-level <span>Document</span> has `<code data-x="">
<span data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</span>:
<span data-x="coop-same-origin">same-origin</span></code>`</p></li>

<li><p>Every <span>Document</span> has
`<code data-x=""><span>Cross-Origin-Embedder-Policy</span>:
<span data-x="coep-require-corp">require-corp</span></code>`</p></li>
</ul>
<p>
On some platforms, it is difficult to provide the security properties required
by the <span data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin
isolated capability</span>. As a result, only <code
data-x="cross-origin-isolation-concrete">isolation-concrete</code> can grant access to the <span
data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin isolated
capability</span>. <code data-x="cross-origin-isolation-concrete">isolation-concrete</code> is
used on platform not supporting this capability.
</p>
</div>

<p>A <span>browsing context group</span> has an associated <dfn>historical agent cluster key
map</dfn>, which is a <span data-x="ordered map">map</span> of <span
Expand Down Expand Up @@ -79645,11 +79683,17 @@ interface <dfn>BarProp</dfn> {

<dt>The <span data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin
isolated capability</span></dt>
<dd><p>Return the logical conjunction of <var>realm</var>'s <span>agent cluster</span>'s
<span>cross-origin isolated</span> and whether <var>window</var>'s <span
data-x="concept-document-window">associated <code>Document</code></span> is <span>allowed to
use</span> the "<code data-x="cross-origin-isolated-feature">cross-origin-isolated</code>"
feature.</p></dd>
<dd><p>Return the logical conjunction of:</p>
<ol>
<li><p><var>realm</var>'s <span>agent cluster</span>'s <var
data-x="agent-cluster-cross-origin-isolation">cross-origin-isolation</var> is <code
data-x="cross-origin-isolation-concrete">isolation-concrete</code></p></li>

<li><p><span data-x="concept-document-window">associated <code>Document</code></span> is
<span>allowed to use</span> the "<code
data-x="cross-origin-isolated-feature">cross-origin-isolated</code>" feature.</p>
</ol>
</dd>
</dl>
</li>

Expand Down Expand Up @@ -80424,8 +80468,9 @@ interface <dfn>BarProp</dfn> {
a registrable domain suffix of and is not equal to</span> <var>effectiveDomain</var>, then throw
a <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>

<li><p>If the <span>surrounding agent</span>'s <span>agent cluster</span>'s <span>cross-origin
isolated</span> is true, then return.</p></li>
<li><p>If the <span>surrounding agent</span>'s <span>agent cluster</span>'s
<var data-x="agent-cluster-cross-origin-isolation">cross-origin-isolation</var> is not <code
data-x="cross-origin-isolation-none">isolation-none</code> then return.</p></li>

<li><p>If the <span>surrounding agent</span>'s <span>agent cluster</span>'s <span>is
origin-keyed</span> is true, then return.</p></li>
Expand Down Expand Up @@ -80534,10 +80579,11 @@ interface <dfn>BarProp</dfn> {
and the <code data-x="dom-originAgentCluster">originAgentCluster</code> getter will always return
true.</p>

<p class="note">Similarly, <code>Document</code>s in a <span>cross-origin isolated</span>
<span>agent cluster</span> are automatically origin-keyed. The `<code
data-x="http-origin-agent-cluster">Origin-Agent-Cluster</code>` header might be useful as an
additional hint to implementations about resource allocation, since the `<code
<p class="note">Similarly, <code>Document</code>s with <span>agent cluster</span>'s
<var data-x="agent-cluster-cross-origin-isolation">cross-origin-isolated</var> not <code
data-x="cross-origin-isolation-none">isolation-none</code> are automatically origin-isolated. The
`<code data-x="http-origin-agent-cluster">Origin-Agent-Cluster</code>` header might be useful as
an additional hint to implementations about resource allocation, since the `<code
data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</code>` and
`<code>Cross-Origin-Embedder-Policy</code>` headers used to achieve cross-origin isolation are
more about ensuring that everything in the same address space opts in to being there. But adding
Expand Down Expand Up @@ -80901,8 +80947,9 @@ interface <dfn>BarProp</dfn> {
<dd>
<p>This behaves the same as "<code data-x="coop-same-origin">same-origin</code>", with the
addition that it sets the (new) <span>top-level browsing context</span>'s <span data-x="tlbc
group">group</span>'s <span data-x="bcg cross-origin isolated">cross-origin isolated</span> to
true.</p>
group">group</span>'s <span data-x="bcg-cross-origin-isolation">cross-origin-isolation</span> to
<code data-x="cross-origin-isolation-logical">isolation-logical</code> or <code
data-x="cross-origin-isolation-concrete">isolation-concrete</code></p>

<p class="note">"<code data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>" cannot
be directly set via the `<code
Expand Down Expand Up @@ -81311,8 +81358,19 @@ interface <dfn>BarProp</dfn> {

<li><p>If <var>navigationCOOP</var>'s <span data-x="coop-struct-value">value</span> is "<code
data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>", then set
<var>newBrowsingContext</var>'s <span data-x="tlbc group">group</span>'s <span data-x="bcg
cross-origin isolated">cross-origin isolated</span> to true.</p></li>
<var>newBrowsingContext</var>'s <span data-x="tlbc group">group</span>'s <span
data-x="bcg-cross-origin-isolation">cross-origin-isolation</span> to: <code
data-x="cross-origin-isolation-logical">isolation-logical</code> or <code
data-x="cross-origin-isolation-concrete">isolation-concrete</code>. The one used is
platform-specific. </p>

<p class="note">It is difficult on some platforms to provide the security properties required by
the <span data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin isolated
capability</span>. Only the <code
data-x="cross-origin-isolation-concrete">isolation-concrete</code> might grant access to it.
<code data-x="cross-origin-isolation-logical">Isolation-logical</code> won't and is used for the
platforms not supporting it.</p>
</li>

<li>
<p>If <var>sandboxFlags</var> is not empty, then:</p>
Expand Down Expand Up @@ -86779,9 +86837,11 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
<p>Contains various <code>Window</code> objects which can potentially reach each other, either
directly or by using <code data-x="dom-document-domain">document.domain</code>.</p>

<p>If the encompassing <span>agent cluster</span>'s <span>cross-origin isolated</span> is true,
then all the <code>Window</code> objects will be <span>same origin</span>, can reach each other
directly, and <code data-x="dom-document-domain">document.domain</code> will no-op.</p>
<p>If the encompassing <span>agent cluster</span>'s <span
data-x="agent-cluster-cross-origin-isolation">cross-origin-isolation</span> is not <code
data-x="cross-origin-isolation-none">isolation-none</code>, then all the <code>Window</code>
objects will be <span>same origin</span>, can reach each other directly, and <code
data-x="dom-document-domain">document.domain</code> will no-op.</p>

<p class="note">Two <code>Window</code> objects that are <span>same origin</span> can be in
different <span data-x="similar-origin window agent">similar-origin window agents</span>, for
Expand Down Expand Up @@ -86863,8 +86923,10 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {

<div w-nodev>

<p>An <span>agent cluster</span> has an associated <dfn>cross-origin isolated</dfn> (a boolean),
which is initially false.</p>
<p>An <span>agent cluster</span> has an associated <dfn><var
data-x="agent-cluster-cross-origin-isolation">cross-origin-isolation</var></dfn> variable, of type
<span>cross-origin-isolation</span>. Initially set to <code
data-x="cross-origin-isolation-none">isolation-none</code>.

<p>An <span>agent cluster</span> has an associated <dfn>is origin-keyed</dfn> (a boolean), which
is initially false.</p>
Expand Down Expand Up @@ -86892,8 +86954,10 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {

<li><p>Let <var>key</var> be <var>site</var>.</p></li>

<li><p>If <var>group</var>'s <span data-x="bcg cross-origin isolated">cross-origin
isolated</span> is true, then set <var>key</var> to <var>origin</var>.</p></li>
<li><p>If <var>group</var>'s <span
data-x="bcg-cross-origin-isolation">cross-origin-isolation</span> is not <code
data-x="cross-origin-isolation-none">isolation-none</code>, then set <var>key</var> to
<var>origin</var>.</p></li>

<li><p>Otherwise, if <var>group</var>'s <span>historical agent cluster key
map</span>[<var>origin</var>] <span data-x="map exists">exists</span>, then set <var>key</var> to
Expand All @@ -86918,8 +86982,9 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
<ol>
<li><p>Let <var>agentCluster</var> be a new <span>agent cluster</span>.</p></li>

<li><p>Set <var>agentCluster</var>'s <span>cross-origin isolated</span> to <var>group</var>'s
<span data-x="bcg cross-origin isolated">cross-origin isolated</span>.</p></li>
<li><p>Set <var>agentCluster</var>'s <var
data-x="agent-cluster-cross-origin-isolation">cross-origin-isolation</var> to <var>group</var>'s
<var data-x="bcg-cross-origin-isolation">cross-origin-isolation</var>.</p></li>

<li><p>Set <var>agentCluster</var>'s <span>is origin-keyed</span> to true if <var>key</var>
equals <var>origin</var>; otherwise false.</p></li>
Expand Down Expand Up @@ -87300,8 +87365,9 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
href="https://github.com/tc39/ecma262/issues/1357">tc39/ecma262#1357</a>.</span></p></li>

<li>
<p>If <var>agent</var>'s <span>agent cluster</span>'s <span>cross-origin isolated</span> is
false, then:</p>
<p>If <var>agent</var>'s <span>agent cluster</span>'s <var
data-x="agent-cluster-cross-origin-isolation">cross-origin-isolation</var> is <code
data-x="cross-origin-isolation-none">isolation-none</code>, then:

<ol>
<li><p>Let <var>global</var> be <var>realm</var>'s <span data-x="concept-realm-global">global
Expand Down Expand Up @@ -99221,8 +99287,11 @@ interface <dfn>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope</span> {
<p>If <var>worker global scope</var>'s <span
data-x="concept-WorkerGlobalScope-embedder-policy">embedder policy</span> is "<code
data-x="coep-require-corp">require-corp</code>" and <var>is shared</var> is true, then set
<var>agent</var>'s <span>agent cluster</span>'s <span>cross-origin isolated</span> to
true.</p>
<var>agent</var>'s <span>agent cluster</span>'s <var
data-x="agent-cluster-cross-origin-isolation">cross-origin-isolated</var> to <code
data-x="cross-origin-isolation-logical">isolation-logical</code> or <code
data-x="cross-origin-isolation-concrete">isolation-concrete</code>. The one chosen is
platform-specific.</p>

<p class="XXX">This really ought to be set when the agent cluster is created, which requires a
redesign of this section.</p>
Expand All @@ -99235,8 +99304,8 @@ interface <dfn>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope</span> {

<li><p>Set <var>worker global scope</var>'s <span
data-x="concept-WorkerGlobalScope-cross-origin-isolated-capability">cross-origin isolated
capability</span> to <var>agent</var>'s <span>agent cluster</span>'s <span>cross-origin
isolated</span>.</p></li>
capability</span> to <var>agent</var>'s <span>agent cluster</span>'s <var
data-x="agent-cluster-cross-origin-isolation">cross-origin-isolation</var>.</p></li>

<li><p>If <var>is shared</var> is false and <var>owner</var>'s <span
data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin isolated
Expand Down

0 comments on commit 9c0351e

Please sign in to comment.