Make COOP+COEP do not imply crossOriginIsolated.

source

@@ -8084,16 +8084,16 @@ interface <dfn>DOMStringList</dfn> {
       <p>If ! <span>IsSharedArrayBuffer</span>(<var>value</var>) is true, then:
 
       <ol>
-       <li><p>Let <var>agentCluster</var> be the <span>surrounding agent</span>'s
-       <span>agent cluster</span>.</p></li>
-
        <li>
-        <p>If <var>agentCluster</var>'s <span>cross-origin isolated</span> is false, then throw a
-        <span>"<code>DataCloneError</code>"</span> <code>DOMException</code>.</p>
+        <p>If the <span>current settings object</span>'s <span
+        data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin isolated
+        capability</span> is false, then throw a <span>"<code>DataCloneError</code>"</span>
+        <code>DOMException</code>.</p>
 
         <p class="note">This check is only needed when serializing (and not when deserializing) as
-        <span>cross-origin isolated</span> cannot change over time and a
-        <code>SharedArrayBuffer</code> cannot leave an <span>agent cluster</span>.</p>
+        the <span data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin
+        isolated capability</span> cannot change over time and a <code>SharedArrayBuffer</code>
+        cannot leave an <span>agent cluster</span>.</p>
        </li>
 
        <li><p>If <var>forStorage</var> is true, then throw a
@@ -77983,9 +77983,6 @@ console.assert(iframeWindow.frameElement === null);
   keys</span> to <span data-x="agent cluster">agent clusters</span>). User agents are responsible
   for collecting agent clusters when it is deemed that nothing can access them anymore.</p>
 
-  <p>A <span>browsing context group</span> has a <dfn data-x="bcg cross-origin
-  isolated">cross-origin isolated</dfn> boolean. It is initially false.</p>
-
   <p>A <span>browsing context group</span> has an associated <dfn>historical agent cluster key
   map</dfn>, which is a <span data-x="ordered map">map</span> of <span
   data-x="origin">origins</span> to <span data-x="agent cluster key">agent cluster keys</span>. This
@@ -77996,6 +77993,41 @@ console.assert(iframeWindow.frameElement === null);
   <p class="note">The <span>historical agent cluster key map</span> only ever gains entries over the
   lifetime of the browsing context group.</p>
 
+  <p>A <span>browsing context group</span> has a <dfn
+  data-x="bcg-cross-origin-isolation">cross-origin isolation mode</dfn>, which is a
+  <span>cross-origin isolation mode</span>. It is initially "<code
+  data-x="cross-origin-isolation-none">none</code>".</p>
+
+  <p>A <dfn>cross-origin isolation mode</dfn> is one of three possible values: "<dfn><code
+  data-x="cross-origin-isolation-none">none</code></dfn>", "<dfn><code
+  data-x="cross-origin-isolation-logical">logical</code></dfn>", or "<dfn><code
+  data-x="cross-origin-isolation-concrete">concrete</code></dfn>".</p>
+
+  <div class="note">
+   <p>"<code data-x="cross-origin-isolation-logical">logical</code>" and "<code
+   data-x="cross-origin-isolation-concrete">concrete</code>" are similar. They are both used for
+   <span data-x="browsing context group">browsing context groups</span> where:</p>
+
+   <ul>
+    <li><p>every top-level <span>Document</span> has `<code data-x=""><span
+    data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</span>: <span
+    data-x="coop-same-origin">same-origin</span></code>`, and</p></li>
+
+    <li><p>every <span>Document</span> has `<code
+    data-x=""><span>Cross-Origin-Embedder-Policy</span>: <span
+    data-x="coep-require-corp">require-corp</span></code>`.</p></li>
+   </ul>
+
+   <p>On some platforms, it is difficult to provide the security properties required to grant safe
+   access to the APIs gated by the <span
+   data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin isolated
+   capability</span>. As a result, only "<code
+   data-x="cross-origin-isolation-concrete">concrete</code>" can grant access that capability.
+   "<code data-x="cross-origin-isolation-logical">logical</code>" is used on platform not supporting
+   this capability, where various restrictions imposed by cross-origin isolation will still apply,
+   but the capability is not granted.</p>
+  </div>
+
   <p>To <dfn data-x="creating a new browsing context group">create a new browsing context
   group</dfn>, run these steps:</p>
 
@@ -79644,11 +79676,18 @@ interface <dfn>BarProp</dfn> {
 
      <dt>The <span data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin
      isolated capability</span></dt>
-     <dd><p>Return the logical conjunction of <var>realm</var>'s <span>agent cluster</span>'s
-     <span>cross-origin isolated</span> and whether <var>window</var>'s <span
-     data-x="concept-document-window">associated <code>Document</code></span> is <span>allowed to
-     use</span> the "<code data-x="cross-origin-isolated-feature">cross-origin-isolated</code>"
-     feature.</p></dd>
+     <dd>
+      <p>Return true if both of the following hold, and false otherwise:</p>
+      <ol>
+       <li><p><var>realm</var>'s <span>agent cluster</span>'s <span
+       data-x="agent-cluster-cross-origin-isolation">cross-origin-isolation mode</span> is "<code
+       data-x="cross-origin-isolation-concrete">concrete</code>", and</p></li>
+
+       <li><p><var>window</var>'s <span data-x="concept-document-window">associated
+       <code>Document</code></span> is <span>allowed to use</span> the "<code
+       data-x="cross-origin-isolated-feature">cross-origin-isolated</code>" feature.</p></li>
+      </ol>
+     </dd>
     </dl>
    </li>
 
@@ -80423,9 +80462,6 @@ interface <dfn>BarProp</dfn> {
    a registrable domain suffix of and is not equal to</span> <var>effectiveDomain</var>, then throw
    a <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
-   <li><p>If the <span>surrounding agent</span>'s <span>agent cluster</span>'s <span>cross-origin
-   isolated</span> is true, then return.</p></li>
-
    <li><p>If the <span>surrounding agent</span>'s <span>agent cluster</span>'s <span>is
    origin-keyed</span> is true, then return.</p></li>
 
@@ -80533,10 +80569,11 @@ interface <dfn>BarProp</dfn> {
   and the <code data-x="dom-originAgentCluster">originAgentCluster</code> getter will always return
   true.</p>
 
-  <p class="note">Similarly, <code>Document</code>s in a <span>cross-origin isolated</span>
-  <span>agent cluster</span> are automatically origin-keyed. The `<code
-  data-x="http-origin-agent-cluster">Origin-Agent-Cluster</code>` header might be useful as an
-  additional hint to implementations about resource allocation, since the `<code
+  <p class="note">Similarly, <code>Document</code>s whose <span>agent cluster</span>'s
+  <span data-x="agent-cluster-cross-origin-isolation">cross-origin isolation mode</span> is not
+  "<code data-x="cross-origin-isolation-none">none</code>" are automatically origin-keyed. The
+  `<code data-x="http-origin-agent-cluster">Origin-Agent-Cluster</code>` header might be useful as
+  an additional hint to implementations about resource allocation, since the `<code
   data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</code>` and
   `<code>Cross-Origin-Embedder-Policy</code>` headers used to achieve cross-origin isolation are
   more about ensuring that everything in the same address space opts in to being there. But adding
@@ -80900,8 +80937,9 @@ interface <dfn>BarProp</dfn> {
    <dd>
     <p>This behaves the same as "<code data-x="coop-same-origin">same-origin</code>", with the
     addition that it sets the (new) <span>top-level browsing context</span>'s <span data-x="tlbc
-    group">group</span>'s <span data-x="bcg cross-origin isolated">cross-origin isolated</span> to
-    true.</p>
+    group">group</span>'s <span data-x="bcg-cross-origin-isolation">cross-origin isolation
+    mode</span> to one of "<code data-x="cross-origin-isolation-logical">logical</code>" or "<code
+    data-x="cross-origin-isolation-concrete">concrete</code>".</p>
 
     <p class="note">"<code data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>" cannot
     be directly set via the `<code
@@ -81308,10 +81346,21 @@ interface <dfn>BarProp</dfn> {
    <li><p>Let <var>newBrowsingContext</var> be the result of <span>creating a new top-level browsing
    context</span>.</p></li>
 
-   <li><p>If <var>navigationCOOP</var>'s <span data-x="coop-struct-value">value</span> is "<code
-   data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>", then set
-   <var>newBrowsingContext</var>'s <span data-x="tlbc group">group</span>'s <span data-x="bcg
-   cross-origin isolated">cross-origin isolated</span> to true.</p></li>
+   <li>
+    <p>If <var>navigationCOOP</var>'s <span data-x="coop-struct-value">value</span> is "<code
+    data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>", then set
+    <var>newBrowsingContext</var>'s <span data-x="tlbc group">group</span>'s <span
+    data-x="bcg-cross-origin-isolation">cross-origin isolation mode</span> to either "<code
+    data-x="cross-origin-isolation-logical">logical</code>" or "<code
+    data-x="cross-origin-isolation-concrete">concrete</code>". The choice of which is
+    <span>implementation-defined</span>.</p>
+
+    <p class="note">It is difficult on some platforms to provide the security properties required by
+    the <span data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin
+    isolated capability</span>. "<code data-x="cross-origin-isolation-concrete">concrete</code>"
+    grants access to it and "<code data-x="cross-origin-isolation-logical">logical</code>" does
+    not.</p>
+   </li>
 
    <li>
     <p>If <var>sandboxFlags</var> is not empty, then:</p>
@@ -86741,8 +86790,8 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
     <p>Contains various <code>Window</code> objects which can potentially reach each other, either
     directly or by using <code data-x="dom-document-domain">document.domain</code>.</p>
 
-    <p>If the encompassing <span>agent cluster</span>'s <span>cross-origin isolated</span> is true,
-    then all the <code>Window</code> objects will be <span>same origin</span>, can reach each other
+    <p>If the encompassing <span>agent cluster</span>'s <span>is origin-keyed</span> is true, then
+    all the <code>Window</code> objects will be <span>same origin</span>, can reach each other
     directly, and <code data-x="dom-document-domain">document.domain</code> will no-op.</p>
 
     <p class="note">Two <code>Window</code> objects that are <span>same origin</span> can be in
@@ -86825,8 +86874,10 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
 
   <div w-nodev>
 
-  <p>An <span>agent cluster</span> has an associated <dfn>cross-origin isolated</dfn> (a boolean),
-  which is initially false.</p>
+  <p>An <span>agent cluster</span> has an associated <dfn
+  data-x="agent-cluster-cross-origin-isolation">cross-origin isolation mode</dfn>, which is a
+  <span>cross-origin isolation mode</span>. It is initially "<code
+  data-x="cross-origin-isolation-none">none</code>".</p>
 
   <p>An <span>agent cluster</span> has an associated <dfn>is origin-keyed</dfn> (a boolean), which
   is initially false.</p>
@@ -86854,8 +86905,9 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
 
    <li><p>Let <var>key</var> be <var>site</var>.</p></li>
 
-   <li><p>If <var>group</var>'s <span data-x="bcg cross-origin isolated">cross-origin
-   isolated</span> is true, then set <var>key</var> to <var>origin</var>.</p></li>
+   <li><p>If <var>group</var>'s <span data-x="bcg-cross-origin-isolation">cross-origin isolation
+   mode</span> is not "<code data-x="cross-origin-isolation-none">none</code>", then set
+   <var>key</var> to <var>origin</var>.</p></li>
 
    <li><p>Otherwise, if <var>group</var>'s <span>historical agent cluster key
    map</span>[<var>origin</var>] <span data-x="map exists">exists</span>, then set <var>key</var> to
@@ -86880,8 +86932,10 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
     <ol>
      <li><p>Let <var>agentCluster</var> be a new <span>agent cluster</span>.</p></li>
 
-     <li><p>Set <var>agentCluster</var>'s <span>cross-origin isolated</span> to <var>group</var>'s
-     <span data-x="bcg cross-origin isolated">cross-origin isolated</span>.</p></li>
+     <li><p>Set <var>agentCluster</var>'s <span
+     data-x="agent-cluster-cross-origin-isolation">cross-origin isolation mode</span> to
+     <var>group</var>'s <span data-x="bcg-cross-origin-isolation">cross-origin isolation
+     mode</span>.</p></li>
 
      <li><p>Set <var>agentCluster</var>'s <span>is origin-keyed</span> to true if <var>key</var>
      equals <var>origin</var>; otherwise false.</p></li>
@@ -87262,8 +87316,9 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
    href="https://github.com/tc39/ecma262/issues/1357">tc39/ecma262#1357</a>.</span></p></li>
 
    <li>
-    <p>If <var>agent</var>'s <span>agent cluster</span>'s <span>cross-origin isolated</span> is
-    false, then:</p>
+    <p>If <var>agent</var>'s <span>agent cluster</span>'s <span
+    data-x="agent-cluster-cross-origin-isolation">cross-origin isolation mode</span> is "<code
+    data-x="cross-origin-isolation-none">none</code>", then:</p>
 
     <ol>
      <li><p>Let <var>global</var> be <var>realm</var>'s <span data-x="concept-realm-global">global
@@ -99183,8 +99238,11 @@ interface <dfn>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope</span> {
       <p>If <var>worker global scope</var>'s <span
       data-x="concept-WorkerGlobalScope-embedder-policy">embedder policy</span> is "<code
       data-x="coep-require-corp">require-corp</code>" and <var>is shared</var> is true, then set
-      <var>agent</var>'s <span>agent cluster</span>'s <span>cross-origin isolated</span> to
-      true.</p>
+      <var>agent</var>'s <span>agent cluster</span>'s <span
+      data-x="agent-cluster-cross-origin-isolation">cross-origin isolation mode</span> to "<code
+      data-x="cross-origin-isolation-logical">logical</code>" or "<code
+      data-x="cross-origin-isolation-concrete">concrete</code>". The one chosen is
+      <span>implementation-defined</span>.</p>
 
       <p class="XXX">This really ought to be set when the agent cluster is created, which requires a
       redesign of this section.</p>
@@ -99197,8 +99255,9 @@ interface <dfn>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope</span> {
 
      <li><p>Set <var>worker global scope</var>'s <span
      data-x="concept-WorkerGlobalScope-cross-origin-isolated-capability">cross-origin isolated
-     capability</span> to <var>agent</var>'s <span>agent cluster</span>'s <span>cross-origin
-     isolated</span>.</p></li>
+     capability</span> to true if <var>agent</var>'s <span>agent cluster</span>'s <span
+     data-x="agent-cluster-cross-origin-isolation">cross-origin isolation mode</span> is "<code
+     data-x="cross-origin-isolation-concrete">concrete</code>".</p></li>
 
      <li><p>If <var>is shared</var> is false and <var>owner</var>'s <span
      data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin isolated