Skip to content

Commit

Permalink
Make COOP+COEP not imply cross-origin isolated
Browse files Browse the repository at this point in the history 
This contains 3 changes:

---

The specification currently requires COOP+COEP to give access to cross-origin isolated capabilities like SharedArrayBuffer.

Some platforms can't easily support multiple processes (like Android Webview). Therefore, they can't really support cross-origin isolated. However the are no strong reasons for them not to enforce COEP and COEP when their associated headers are present.

This patch changes the specification to allow (instead of requiring) platforms to grant the cross-origin isolated capability when both COOP and COEP are used.

The browsing context group's cross-origin-isolation mode becomes a tri-state:
- none (not COOP+COEP)
- logical (COOP+COEP, without granting cross-origin isolated)
- concrete (COOP+COEP, with granting cross-origin isolated)

Closes #6060.

---

When setting document.domain, both properties were previously checked:
1. agent-cluster's cross-origin-isolation mode.
2. agent-cluster's origin-keyed.
The first has been removed, since it already implies the second.

---

When serializing a SharedArrayBuffer, check the cross-origin isolated capability instead of the cross-origin isolation mode. This was an oversight from when the cross-origin isolated capability was first introduced.
  • Loading branch information
@ArthurSonzogni
ArthurSonzogni authored Jan 6, 2021
1 parent 2928953 commit cbcf6ac
Showing 1 changed file with 101 additions and 42 deletions.
143 changes: 101 additions & 42 deletions source
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8085,16 +8085,16 @@ interface <dfn>DOMStringList</dfn> {
<p>If ! <span>IsSharedArrayBuffer</span>(<var>value</var>) is true, then:

<ol>
<li><p>Let <var>agentCluster</var> be the <span>surrounding agent</span>'s
<span>agent cluster</span>.</p></li>

<li>
<p>If <var>agentCluster</var>'s <span>cross-origin isolated</span> is false, then throw a
<span>"<code>DataCloneError</code>"</span> <code>DOMException</code>.</p>
<p>If the <span>current settings object</span>'s <span
data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin isolated
capability</span> is false, then throw a <span>"<code>DataCloneError</code>"</span>
<code>DOMException</code>.</p>

<p class="note">This check is only needed when serializing (and not when deserializing) as
<span>cross-origin isolated</span> cannot change over time and a
<code>SharedArrayBuffer</code> cannot leave an <span>agent cluster</span>.</p>
the <span data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin
isolated capability</span> cannot change over time and a <code>SharedArrayBuffer</code>
cannot leave an <span>agent cluster</span>.</p>
</li>

<li><p>If <var>forStorage</var> is true, then throw a
Expand Down Expand Up @@ -77984,9 +77984,6 @@ console.assert(iframeWindow.frameElement === null);
keys</span> to <span data-x="agent cluster">agent clusters</span>). User agents are responsible
for collecting agent clusters when it is deemed that nothing can access them anymore.</p>

<p>A <span>browsing context group</span> has a <dfn data-x="bcg cross-origin
isolated">cross-origin isolated</dfn> boolean. It is initially false.</p>

<p>A <span>browsing context group</span> has an associated <dfn>historical agent cluster key
map</dfn>, which is a <span data-x="ordered map">map</span> of <span
data-x="origin">origins</span> to <span data-x="agent cluster key">agent cluster keys</span>. This
Expand All @@ -77997,6 +77994,41 @@ console.assert(iframeWindow.frameElement === null);
<p class="note">The <span>historical agent cluster key map</span> only ever gains entries over the
lifetime of the browsing context group.</p>

<p>A <span>browsing context group</span> has a <dfn
data-x="bcg-cross-origin-isolation">cross-origin isolation mode</dfn>, which is a
<span>cross-origin isolation mode</span>. It is initially "<code
data-x="cross-origin-isolation-none">none</code>".</p>

<p>A <dfn>cross-origin isolation mode</dfn> is one of three possible values: "<dfn><code
data-x="cross-origin-isolation-none">none</code></dfn>", "<dfn><code
data-x="cross-origin-isolation-logical">logical</code></dfn>", or "<dfn><code
data-x="cross-origin-isolation-concrete">concrete</code></dfn>".</p>

<div class="note">
<p>"<code data-x="cross-origin-isolation-logical">logical</code>" and "<code
data-x="cross-origin-isolation-concrete">concrete</code>" are similar. They are both used for
<span data-x="browsing context group">browsing context groups</span> where:</p>

<ul>
<li><p>every top-level <span>Document</span> has `<code data-x=""><span
data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</span>: <span
data-x="coop-same-origin">same-origin</span></code>`, and</p></li>

<li><p>every <span>Document</span> has `<code
data-x=""><span>Cross-Origin-Embedder-Policy</span>: <span
data-x="coep-require-corp">require-corp</span></code>`.</p></li>
</ul>

<p>On some platforms, it is difficult to provide the security properties required to grant safe
access to the APIs gated by the <span
data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin isolated
capability</span>. As a result, only "<code
data-x="cross-origin-isolation-concrete">concrete</code>" can grant access that capability.
"<code data-x="cross-origin-isolation-logical">logical</code>" is used on platform not supporting
this capability, where various restrictions imposed by cross-origin isolation will still apply,
but the capability is not granted.</p>
</div>

<p>To <dfn data-x="creating a new browsing context group">create a new browsing context
group</dfn>, run these steps:</p>

Expand Down Expand Up @@ -79645,11 +79677,18 @@ interface <dfn>BarProp</dfn> {

<dt>The <span data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin
isolated capability</span></dt>
<dd><p>Return the logical conjunction of <var>realm</var>'s <span>agent cluster</span>'s
<span>cross-origin isolated</span> and whether <var>window</var>'s <span
data-x="concept-document-window">associated <code>Document</code></span> is <span>allowed to
use</span> the "<code data-x="cross-origin-isolated-feature">cross-origin-isolated</code>"
feature.</p></dd>
<dd>
<p>Return true if both of the following hold, and false otherwise:</p>
<ol>
<li><p><var>realm</var>'s <span>agent cluster</span>'s <span
data-x="agent-cluster-cross-origin-isolation">cross-origin-isolation mode</span> is "<code
data-x="cross-origin-isolation-concrete">concrete</code>", and</p></li>

<li><p><var>window</var>'s <span data-x="concept-document-window">associated
<code>Document</code></span> is <span>allowed to use</span> the "<code
data-x="cross-origin-isolated-feature">cross-origin-isolated</code>" feature.</p></li>
</ol>
</dd>
</dl>
</li>

Expand Down Expand Up @@ -80424,9 +80463,6 @@ interface <dfn>BarProp</dfn> {
a registrable domain suffix of and is not equal to</span> <var>effectiveDomain</var>, then throw
a <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>

<li><p>If the <span>surrounding agent</span>'s <span>agent cluster</span>'s <span>cross-origin
isolated</span> is true, then return.</p></li>

<li><p>If the <span>surrounding agent</span>'s <span>agent cluster</span>'s <span>is
origin-keyed</span> is true, then return.</p></li>

Expand Down Expand Up @@ -80534,10 +80570,11 @@ interface <dfn>BarProp</dfn> {
and the <code data-x="dom-originAgentCluster">originAgentCluster</code> getter will always return
true.</p>

<p class="note">Similarly, <code>Document</code>s in a <span>cross-origin isolated</span>
<span>agent cluster</span> are automatically origin-keyed. The `<code
data-x="http-origin-agent-cluster">Origin-Agent-Cluster</code>` header might be useful as an
additional hint to implementations about resource allocation, since the `<code
<p class="note">Similarly, <code>Document</code>s whose <span>agent cluster</span>'s
<span data-x="agent-cluster-cross-origin-isolation">cross-origin isolation mode</span> is not
"<code data-x="cross-origin-isolation-none">none</code>" are automatically origin-keyed. The
`<code data-x="http-origin-agent-cluster">Origin-Agent-Cluster</code>` header might be useful as
an additional hint to implementations about resource allocation, since the `<code
data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</code>` and
`<code>Cross-Origin-Embedder-Policy</code>` headers used to achieve cross-origin isolation are
more about ensuring that everything in the same address space opts in to being there. But adding
Expand Down Expand Up @@ -80901,8 +80938,9 @@ interface <dfn>BarProp</dfn> {
<dd>
<p>This behaves the same as "<code data-x="coop-same-origin">same-origin</code>", with the
addition that it sets the (new) <span>top-level browsing context</span>'s <span data-x="tlbc
group">group</span>'s <span data-x="bcg cross-origin isolated">cross-origin isolated</span> to
true.</p>
group">group</span>'s <span data-x="bcg-cross-origin-isolation">cross-origin isolation
mode</span> to one of "<code data-x="cross-origin-isolation-logical">logical</code>" or "<code
data-x="cross-origin-isolation-concrete">concrete</code>".</p>

<p class="note">"<code data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>" cannot
be directly set via the `<code
Expand Down Expand Up @@ -81308,10 +81346,21 @@ interface <dfn>BarProp</dfn> {
<li><p>Let <var>newBrowsingContext</var> be the result of <span>creating a new top-level browsing
context</span>.</p></li>

<li><p>If <var>navigationCOOP</var>'s <span data-x="coop-struct-value">value</span> is "<code
data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>", then set
<var>newBrowsingContext</var>'s <span data-x="tlbc group">group</span>'s <span data-x="bcg
cross-origin isolated">cross-origin isolated</span> to true.</p></li>
<li>
<p>If <var>navigationCOOP</var>'s <span data-x="coop-struct-value">value</span> is "<code
data-x="coop-same-origin-plus-COEP">same-origin-plus-COEP</code>", then set
<var>newBrowsingContext</var>'s <span data-x="tlbc group">group</span>'s <span
data-x="bcg-cross-origin-isolation">cross-origin isolation mode</span> to either "<code
data-x="cross-origin-isolation-logical">logical</code>" or "<code
data-x="cross-origin-isolation-concrete">concrete</code>". The choice of which is
<span>implementation-defined</span>.</p>

<p class="note">It is difficult on some platforms to provide the security properties required by
the <span data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin
isolated capability</span>. "<code data-x="cross-origin-isolation-concrete">concrete</code>"
grants access to it and "<code data-x="cross-origin-isolation-logical">logical</code>" does
not.</p>
</li>

<li>
<p>If <var>sandboxFlags</var> is not empty, then:</p>
Expand Down Expand Up @@ -86778,8 +86827,8 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
<p>Contains various <code>Window</code> objects which can potentially reach each other, either
directly or by using <code data-x="dom-document-domain">document.domain</code>.</p>

<p>If the encompassing <span>agent cluster</span>'s <span>cross-origin isolated</span> is true,
then all the <code>Window</code> objects will be <span>same origin</span>, can reach each other
<p>If the encompassing <span>agent cluster</span>'s <span>is origin-keyed</span> is true, then
all the <code>Window</code> objects will be <span>same origin</span>, can reach each other
directly, and <code data-x="dom-document-domain">document.domain</code> will no-op.</p>

<p class="note">Two <code>Window</code> objects that are <span>same origin</span> can be in
Expand Down Expand Up @@ -86862,8 +86911,10 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {

<div w-nodev>

<p>An <span>agent cluster</span> has an associated <dfn>cross-origin isolated</dfn> (a boolean),
which is initially false.</p>
<p>An <span>agent cluster</span> has an associated <dfn
data-x="agent-cluster-cross-origin-isolation">cross-origin isolation mode</dfn>, which is a
<span>cross-origin isolation mode</span>. It is initially "<code
data-x="cross-origin-isolation-none">none</code>".</p>

<p>An <span>agent cluster</span> has an associated <dfn>is origin-keyed</dfn> (a boolean), which
is initially false.</p>
Expand Down Expand Up @@ -86891,8 +86942,9 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {

<li><p>Let <var>key</var> be <var>site</var>.</p></li>

<li><p>If <var>group</var>'s <span data-x="bcg cross-origin isolated">cross-origin
isolated</span> is true, then set <var>key</var> to <var>origin</var>.</p></li>
<li><p>If <var>group</var>'s <span data-x="bcg-cross-origin-isolation">cross-origin isolation
mode</span> is not "<code data-x="cross-origin-isolation-none">none</code>", then set
<var>key</var> to <var>origin</var>.</p></li>

<li><p>Otherwise, if <var>group</var>'s <span>historical agent cluster key
map</span>[<var>origin</var>] <span data-x="map exists">exists</span>, then set <var>key</var> to
Expand All @@ -86917,8 +86969,10 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
<ol>
<li><p>Let <var>agentCluster</var> be a new <span>agent cluster</span>.</p></li>

<li><p>Set <var>agentCluster</var>'s <span>cross-origin isolated</span> to <var>group</var>'s
<span data-x="bcg cross-origin isolated">cross-origin isolated</span>.</p></li>
<li><p>Set <var>agentCluster</var>'s <span
data-x="agent-cluster-cross-origin-isolation">cross-origin isolation mode</span> to
<var>group</var>'s <span data-x="bcg-cross-origin-isolation">cross-origin isolation
mode</span>.</p></li>

<li><p>Set <var>agentCluster</var>'s <span>is origin-keyed</span> to true if <var>key</var>
equals <var>origin</var>; otherwise false.</p></li>
Expand Down Expand Up @@ -87299,8 +87353,9 @@ interface <dfn>BeforeUnloadEvent</dfn> : <span>Event</span> {
href="https://github.com/tc39/ecma262/issues/1357">tc39/ecma262#1357</a>.</span></p></li>

<li>
<p>If <var>agent</var>'s <span>agent cluster</span>'s <span>cross-origin isolated</span> is
false, then:</p>
<p>If <var>agent</var>'s <span>agent cluster</span>'s <span
data-x="agent-cluster-cross-origin-isolation">cross-origin isolation mode</span> is "<code
data-x="cross-origin-isolation-none">none</code>", then:</p>

<ol>
<li><p>Let <var>global</var> be <var>realm</var>'s <span data-x="concept-realm-global">global
Expand Down Expand Up @@ -99220,8 +99275,11 @@ interface <dfn>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope</span> {
<p>If <var>worker global scope</var>'s <span
data-x="concept-WorkerGlobalScope-embedder-policy">embedder policy</span> is "<code
data-x="coep-require-corp">require-corp</code>" and <var>is shared</var> is true, then set
<var>agent</var>'s <span>agent cluster</span>'s <span>cross-origin isolated</span> to
true.</p>
<var>agent</var>'s <span>agent cluster</span>'s <span
data-x="agent-cluster-cross-origin-isolation">cross-origin isolation mode</span> to "<code
data-x="cross-origin-isolation-logical">logical</code>" or "<code
data-x="cross-origin-isolation-concrete">concrete</code>". The one chosen is
<span>implementation-defined</span>.</p>

<p class="XXX">This really ought to be set when the agent cluster is created, which requires a
redesign of this section.</p>
Expand All @@ -99234,8 +99292,9 @@ interface <dfn>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope</span> {

<li><p>Set <var>worker global scope</var>'s <span
data-x="concept-WorkerGlobalScope-cross-origin-isolated-capability">cross-origin isolated
capability</span> to <var>agent</var>'s <span>agent cluster</span>'s <span>cross-origin
isolated</span>.</p></li>
capability</span> to true if <var>agent</var>'s <span>agent cluster</span>'s <span
data-x="agent-cluster-cross-origin-isolation">cross-origin isolation mode</span> is "<code
data-x="cross-origin-isolation-concrete">concrete</code>".</p></li>

<li><p>If <var>is shared</var> is false and <var>owner</var>'s <span
data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin isolated
Expand Down

0 comments on commit cbcf6ac

Please sign in to comment.