Make COOP+COEP do not imply crossOriginIsolated.

ArthurSonzogni · ArthurSonzogni · commit c79e8f3dc686 · 2020-11-18T18:54:33.000+01:00
The [specification] currently requires [COOP] + [COEP] to give access to crossOriginIsolated capabilities like SharedArrayBuffer. Some platforms can't easily support multiple processes (like Android Webview). Therefore, they can't really support crossOriginIsolated. However the are no strong reasons for them not to enforce COEP (and maybe COOP) when their associated headers are present. It would be great enforcing COEP (and maybe COOP) on all platforms, desptie the lack of crossOriginIsolated capabilities. This patch makes the specification to allow (instead of requiring) platform to set the crossOriginIsolated flag when both COOP and COEP are used. Setting crossOriginIsolated becomes platform dependent. In exchange, we can enforce COEP (and COOP) in a non platform dependent way, without conflicting with the specification about crossOriginIsolated. [Bug]: #6060 [specification]: https://html.spec.whatwg.org/#cross-origin-opener-policies [COOP]: https://html.spec.whatwg.org/#cross-origin-opener-policy [COEP]: https://html.spec.whatwg.org/#coep
diff --git a/source b/source
@@ -79602,6 +79602,14 @@ interface <dfn>BarProp</dfn> {
    <var>window</var>'s <span data-x="concept-document-window">associated
    <code>Document</code></span>.</p></li>
 
+   <li><p>Let <var>canBeCrossOriginIsolated</var> be true if the user agent is willing to give access
+   to <code data-x="cross-origin-isolated-feature">cross-origin-isolated</code> features, and false
+   otherwise.</p>
+   <p class="note">Not every platform can easily support the security properties associated with the
+   <code data-x="cross-origin-isolated-feature">cross-origin-isolated</code> feature. Once the
+   decision to support it has been made, it is guaranteed not to change over time.</p>
+   </li>
+
    <li>
     <p>Let <var>settings object</var> be a new <span>environment settings object</span> whose
     algorithms are defined as follows:</p>
@@ -79668,11 +79676,19 @@ interface <dfn>BarProp</dfn> {
 
      <dt>The <span data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin
      isolated capability</span></dt>
-     <dd><p>Return the logical conjunction of <var>realm</var>'s <span>agent cluster</span>'s
-     <span>cross-origin isolated</span> and whether <var>window</var>'s <span
-     data-x="concept-document-window">associated <code>Document</code></span> is <span>allowed to
-     use</span> the "<code data-x="cross-origin-isolated-feature">cross-origin-isolated</code>"
-     feature.</p></dd>
+     <dd><p>Return the logical conjunction of:</p>
+     <ol>
+       <li><p><var>canBeCrossOriginIsolated</var></p></li>
+
+       <li><p><var>realm</var>'s <span>agent cluster</span>'s <span>cross-origin
+       isolated</span></p></li>
+
+       <li><p><var>window</var>'s <span data-x="concept-document-window">associated
+       <code>Document</code></span> is <span>allowed to use</span> the "<code
+       data-x="cross-origin-isolated-feature">cross-origin-isolated</code>" feature.</p>
+     </ol>
+     </dd>
+
     </dl>
    </li>
 
@@ -88664,7 +88680,20 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
    for="environment settings object">cross-origin isolated capability</dfn></dt>
 
    <dd><p>A boolean representing whether scripts that use this <span>environment settings
-   object</span> are allowed to use APIs that require cross-origin isolation.</p></dd>
+   object</span> are allowed to use APIs that require cross-origin isolation.</p>
+   <div class="note">
+     <p>
+       This value is platform dependent, because on some platforms is not possible to provide the
+       security properties associated with this state. There are platform independent invariants
+       though, it "MUST" be false whenever:
+     </p>
+     <ul>
+       <li><p>The surrounding agent cluster's cross-origin isolated is false</p></li>
+       <li><p>The corresponding feature policy doesn't allow to use the feature</p></li>
+     </ul>
+   </div>
+   </dd>
+
   </dl>
 
   <p>An <span>environment settings object</span> also has an <dfn>outstanding rejected promises
