From 68d940ce562f819f28b2d30449ed3bf19cbeb095 Mon Sep 17 00:00:00 2001 From: Arthur Sonzogni Date: Wed, 18 Nov 2020 18:35:41 +0100 Subject: [PATCH] Make COOP+COEP do not imply crossOriginIsolated. The [specification] currently requires [COOP] + [COEP] to give access to crossOriginIsolated capabilities like SharedArrayBuffer. Some platforms can't easily support multiple processes (like Android Webview). Therefore, they can't really support crossOriginIsolated. However the are no strong reasons for them not to enforce COEP (and maybe COOP) when their associated headers are present. It would be great enforcing COEP (and maybe COOP) on all platforms, desptie the lack of crossOriginIsolated capabilities. This patch makes the specification to allow (instead of requiring) platform to set the crossOriginIsolated flag when both COOP and COEP are used. Setting crossOriginIsolated becomes platform dependent. In exchange, we can enforce COEP (and COOP) in a non platform dependent way, without conflicting with the specification about crossOriginIsolated. [Bug]: https://github.com/whatwg/html/issues/6060 [specification]: https://html.spec.whatwg.org/#cross-origin-opener-policies [COOP]: https://html.spec.whatwg.org/#cross-origin-opener-policy [COEP]: https://html.spec.whatwg.org/#coep --- source | 155 +++++++++++++++++++++++++++++++++++++++++---------------- 1 file changed, 111 insertions(+), 44 deletions(-) diff --git a/source b/source index fcb9dde398e..d4100848503 100644 --- a/source +++ b/source @@ -8017,7 +8017,7 @@ interface DOMStringList {

StructuredSerializeInternal ( value, forStorage [ , - memory ] )

+ memory ])

The StructuredSerializeInternal abstract operation takes as input a JavaScript value value and serializes it to a DataCloneError" DOMException.

- -

This check is only needed when serializing (and not when deserializing) as - cross-origin isolated cannot change over time and a - SharedArrayBuffer cannot leave an agent cluster.

- -

  • If forStorage is true, then throw a "DataCloneError" DOMException.

    • @@ -8513,6 +8504,18 @@ o.myself = o; serialized.[[AgentCluster]], then then throw a "DataCloneError" DOMException.

    +

  • If targetRealm's cross-origin isolated capability is false, then throw + "DataCloneError" DOMException.

    + +

    This check is only needed when deserializing (and not when serializing) as + + cross-origin isolated capability cannot change over time and a + SharedArrayBuffer cannot leave an agent + cluster.

    +
    • +

  • Otherwise, set value to a new SharedArrayBuffer object in targetRealm whose [[ArrayBufferData]] internal slot value is serialized.[[ArrayBufferData]] and whose [[ArrayBufferByteLength]] internal slot @@ -77984,8 +77987,43 @@ console.assert(iframeWindow.frameElement === null); keys to agent clusters). User agents are responsible for collecting agent clusters when it is deemed that nothing can access them anymore.

    -

    A browsing context group has a cross-origin isolated boolean. It is initially false.

    +

    A browsing context group has a cross-origin-isolation variable of type + cross-origin-isolation. Initially "isolation-none"

    + +

    A cross-origin-isolation type can take 3 possible values:

    + + +
    +

    + isolation-logical and + isolation-concrete are similar. They are both used + for browsing context group, where: +

    +
      +

    • Every top-level Document has ` + Cross-Origin-Opener-Policy: + same-origin`

      • + +

    • Every Document has + `Cross-Origin-Embedder-Policy: + require-corp`

      • +
    +

    + On some platforms, it is difficult to provide the security properties required + by the cross-origin + isolated capability. As a result, only isolation-concrete can grant access to the cross-origin isolated + capability. isolation-concrete is + used on platform not supporting this capability. +

    +

    A browsing context group has an associated historical agent cluster key map, which is a map of BarProp {

    The cross-origin isolated capability
    -

    Return the logical conjunction of realm's agent cluster's - cross-origin isolated and whether window's associated Document is allowed to - use the "cross-origin-isolated" - feature.

    +

    Return the logical conjunction of:

    +
      +

    1. realm's agent cluster's cross-origin-isolation is isolation-concrete

      2. + +

    2. associated Document is + allowed to use the "cross-origin-isolated" feature.

      +
    +
    • @@ -80424,8 +80468,9 @@ interface BarProp { a registrable domain suffix of and is not equal to effectiveDomain, then throw a "SecurityError" DOMException.

    -

  • If the surrounding agent's agent cluster's cross-origin - isolated is true, then return.

    • +

  • If the surrounding agent's agent cluster's + cross-origin-isolation is not isolation-none then return.

  • If the surrounding agent's agent cluster's is origin-keyed is true, then return.

    • @@ -80534,17 +80579,16 @@ interface BarProp { and the originAgentCluster getter will always return true.

    -

    Similarly, Documents in a cross-origin isolated - agent cluster are automatically origin-keyed. The `Origin-Agent-Cluster` header might be useful as an - additional hint to implementations about resource allocation, since the `Similarly, Documents with agent cluster's + cross-origin-isolated not isolation-none are automatically origin-isolated. The + `Origin-Agent-Cluster` header might be useful as + an additional hint to implementations about resource allocation, since the `Cross-Origin-Opener-Policy` and `Cross-Origin-Embedder-Policy` headers used to achieve cross-origin isolation are more about ensuring that everything in the same address space opts in to being there. But adding it would have no additional observable effects on author code.

    - -

    Sandboxing

    A sandboxing flag set is a set of zero or more of the following flags, which @@ -80901,8 +80945,9 @@ interface BarProp {

    This behaves the same as "same-origin", with the addition that it sets the (new) top-level browsing context's group's cross-origin isolated to - true.

    + group">group's cross-origin-isolation to + isolation-logical or isolation-concrete

    "same-origin-plus-COEP" cannot be directly set via the `BarProp {

  • If navigationCOOP's value is "same-origin-plus-COEP", then set - newBrowsingContext's group's cross-origin isolated to true.

    • + newBrowsingContext's group's cross-origin-isolation to: isolation-logical or isolation-concrete. The one used is + platform-specific.

    + +

    It is difficult on some platforms to provide the security properties required by + the cross-origin isolated + capability. Only the isolation-concrete might grant access to it. + Isolation-logical won't and is used for the + platforms not supporting it.

    +

  • If sandboxFlags is not empty, then:

    @@ -86779,9 +86835,11 @@ interface BeforeUnloadEvent : Event {

    Contains various Window objects which can potentially reach each other, either directly or by using document.domain.

    -

    If the encompassing agent cluster's cross-origin isolated is true, - then all the Window objects will be same origin, can reach each other - directly, and document.domain will no-op.

    +

    If the encompassing agent cluster's cross-origin-isolation is not isolation-none, then all the Window + objects will be same origin, can reach each other directly, and document.domain will no-op.

    Two Window objects that are same origin can be in different similar-origin window agents, for @@ -86863,8 +86921,10 @@ interface BeforeUnloadEvent : Event {

    -

    An agent cluster has an associated cross-origin isolated (a boolean), - which is initially false.

    +

    An agent cluster has an associated cross-origin-isolation variable, of type + cross-origin-isolation. Initially set to isolation-none.

    An agent cluster has an associated is origin-keyed (a boolean), which is initially false.

    @@ -86892,8 +86952,10 @@ interface BeforeUnloadEvent : Event {

  • Let key be site.

    • -

  • If group's cross-origin - isolated is true, then set key to origin.

    • +

  • If group's cross-origin-isolation is not isolation-none, then set key to + origin.

  • Otherwise, if group's historical agent cluster key map[origin] exists, then set key to @@ -86918,8 +86980,9 @@ interface BeforeUnloadEvent : Event {

    1. Let agentCluster be a new agent cluster.

      2. -

    2. Set agentCluster's cross-origin isolated to group's - cross-origin isolated.

      3. +

    3. Set agentCluster's cross-origin-isolation to group's + cross-origin-isolation.

    4. Set agentCluster's is origin-keyed to true if key equals origin; otherwise false.

      5. @@ -87300,8 +87363,9 @@ interface BeforeUnloadEvent : Event { href="https://github.com/tc39/ecma262/issues/1357">tc39/ecma262#1357.

    5. -

      If agent's agent cluster's cross-origin isolated is - false, then:

      +

      If agent's agent cluster's cross-origin-isolation is isolation-none, then:

      1. Let global be realm's global @@ -99221,8 +99285,11 @@ interface SharedWorkerGlobalScope : WorkerGlobalScope {

        If worker global scope's embedder policy is "require-corp" and is shared is true, then set - agent's agent cluster's cross-origin isolated to - true.

        + agent's agent cluster's cross-origin-isolated to isolation-logical or isolation-concrete. The one chosen is + platform-specific.

        This really ought to be set when the agent cluster is created, which requires a redesign of this section.

        @@ -99235,8 +99302,8 @@ interface SharedWorkerGlobalScope : WorkerGlobalScope {

      2. Set worker global scope's cross-origin isolated - capability to agent's agent cluster's cross-origin - isolated.

        3. + capability to agent's agent cluster's cross-origin-isolation.

      3. If is shared is false and owner's cross-origin isolated