diff --git a/source b/source index 228b0ba53f8..8a5e08fe4e8 100644 --- a/source +++ b/source @@ -8084,16 +8084,16 @@ interface DOMStringList {

If ! IsSharedArrayBuffer(value) is true, then:

    -

  1. Let agentCluster be the surrounding agent's - agent cluster.

    2. -
  2. -

    If agentCluster's cross-origin isolated is false, then throw a - "DataCloneError" DOMException.

    +

    If the current settings object's cross-origin isolated + capability is false, then throw a "DataCloneError" + DOMException.

    This check is only needed when serializing (and not when deserializing) as - cross-origin isolated cannot change over time and a - SharedArrayBuffer cannot leave an agent cluster.

    + the cross-origin + isolated capability cannot change over time and a SharedArrayBuffer + cannot leave an agent cluster.

  3. If forStorage is true, then throw a @@ -77983,9 +77983,6 @@ console.assert(iframeWindow.frameElement === null); keys to agent clusters). User agents are responsible for collecting agent clusters when it is deemed that nothing can access them anymore.

    -

    A browsing context group has a cross-origin isolated boolean. It is initially false.

    -

    A browsing context group has an associated historical agent cluster key map, which is a map of origins to agent cluster keys. This @@ -77996,6 +77993,41 @@ console.assert(iframeWindow.frameElement === null);

    The historical agent cluster key map only ever gains entries over the lifetime of the browsing context group.

    +

    A browsing context group has a cross-origin isolation mode, which is a + cross-origin isolation mode. It is initially "none".

    + +

    A cross-origin isolation mode is one of three possible values: "none", "logical", or "concrete".

    + +
    +

    "logical" and "concrete" are similar. They are both used for + browsing context groups where:

    + +
      +

    • every top-level Document has `Cross-Origin-Opener-Policy: same-origin`, and

      • + +

    • every Document has `Cross-Origin-Embedder-Policy: require-corp`.

      • +
    + +

    On some platforms, it is difficult to provide the security properties required to grant safe + access to the APIs gated by the cross-origin isolated + capability. As a result, only "concrete" can grant access that capability. + "logical" is used on platform not supporting + this capability, where various restrictions imposed by cross-origin isolation will still apply, + but the capability is not granted.

    +
    +

    To create a new browsing context group, run these steps:

    @@ -79644,11 +79676,18 @@ interface BarProp {
    The cross-origin isolated capability
    -

    Return the logical conjunction of realm's agent cluster's - cross-origin isolated and whether window's associated Document is allowed to - use the "cross-origin-isolated" - feature.

    +
    +

    Return true if both of the following hold, and false otherwise:

    +
      +

    1. realm's agent cluster's cross-origin-isolation mode is "concrete", and

      2. + +

    2. window's associated + Document is allowed to use the "cross-origin-isolated" feature.

      3. +
    +
    4. @@ -80423,9 +80462,6 @@ interface BarProp { a registrable domain suffix of and is not equal to effectiveDomain, then throw a "SecurityError" DOMException.

    -

  4. If the surrounding agent's agent cluster's cross-origin - isolated is true, then return.

    5. -

  5. If the surrounding agent's agent cluster's is origin-keyed is true, then return.

    6. @@ -80533,10 +80569,11 @@ interface BarProp { and the originAgentCluster getter will always return true.

    -

    Similarly, Documents in a cross-origin isolated - agent cluster are automatically origin-keyed. The `Origin-Agent-Cluster` header might be useful as an - additional hint to implementations about resource allocation, since the `Similarly, Documents whose agent cluster's + cross-origin isolation mode is not + "none" are automatically origin-keyed. The + `Origin-Agent-Cluster` header might be useful as + an additional hint to implementations about resource allocation, since the `Cross-Origin-Opener-Policy` and `Cross-Origin-Embedder-Policy` headers used to achieve cross-origin isolation are more about ensuring that everything in the same address space opts in to being there. But adding @@ -80900,8 +80937,9 @@ interface BarProp {

    This behaves the same as "same-origin", with the addition that it sets the (new) top-level browsing context's group's cross-origin isolated to - true.

    + group">group's cross-origin isolation + mode to one of "logical" or "concrete".

    "same-origin-plus-COEP" cannot be directly set via the `BarProp {

  6. Let newBrowsingContext be the result of creating a new top-level browsing context.

    7. -

  7. If navigationCOOP's value is "same-origin-plus-COEP", then set - newBrowsingContext's group's cross-origin isolated to true.

    8. +
  8. +

    If navigationCOOP's value is "same-origin-plus-COEP", then set + newBrowsingContext's group's cross-origin isolation mode to either "logical" or "concrete". The choice of which is + implementation-defined.

    + +

    It is difficult on some platforms to provide the security properties required by + the cross-origin + isolated capability. "concrete" + grants access to it and "logical" does + not.

    +

  9. If sandboxFlags is not empty, then:

    @@ -86741,8 +86790,8 @@ interface BeforeUnloadEvent : Event {

    Contains various Window objects which can potentially reach each other, either directly or by using document.domain.

    -

    If the encompassing agent cluster's cross-origin isolated is true, - then all the Window objects will be same origin, can reach each other +

    If the encompassing agent cluster's is origin-keyed is true, then + all the Window objects will be same origin, can reach each other directly, and document.domain will no-op.

    Two Window objects that are same origin can be in @@ -86825,8 +86874,10 @@ interface BeforeUnloadEvent : Event {

    -

    An agent cluster has an associated cross-origin isolated (a boolean), - which is initially false.

    +

    An agent cluster has an associated cross-origin isolation mode, which is a + cross-origin isolation mode. It is initially "none".

    An agent cluster has an associated is origin-keyed (a boolean), which is initially false.

    @@ -86854,8 +86905,9 @@ interface BeforeUnloadEvent : Event {

  10. Let key be site.

    11. -

  11. If group's cross-origin - isolated is true, then set key to origin.

    12. +

  12. If group's cross-origin isolation + mode is not "none", then set + key to origin.

  13. Otherwise, if group's historical agent cluster key map[origin] exists, then set key to @@ -86880,8 +86932,10 @@ interface BeforeUnloadEvent : Event {

    1. Let agentCluster be a new agent cluster.

      2. -

    2. Set agentCluster's cross-origin isolated to group's - cross-origin isolated.

      3. +

    3. Set agentCluster's cross-origin isolation mode to + group's cross-origin isolation + mode.

    4. Set agentCluster's is origin-keyed to true if key equals origin; otherwise false.

      5. @@ -87262,8 +87316,9 @@ interface BeforeUnloadEvent : Event { href="https://github.com/tc39/ecma262/issues/1357">tc39/ecma262#1357.

    5. -

      If agent's agent cluster's cross-origin isolated is - false, then:

      +

      If agent's agent cluster's cross-origin isolation mode is "none", then:

      1. Let global be realm's global @@ -99183,8 +99238,11 @@ interface SharedWorkerGlobalScope : WorkerGlobalScope {

        If worker global scope's embedder policy is "require-corp" and is shared is true, then set - agent's agent cluster's cross-origin isolated to - true.

        + agent's agent cluster's cross-origin isolation mode to "logical" or "concrete". The one chosen is + implementation-defined.

        This really ought to be set when the agent cluster is created, which requires a redesign of this section.

        @@ -99197,8 +99255,9 @@ interface SharedWorkerGlobalScope : WorkerGlobalScope {

      2. Set worker global scope's cross-origin isolated - capability to agent's agent cluster's cross-origin - isolated.

        3. + capability to true if agent's agent cluster's cross-origin isolation mode is "concrete".

      3. If is shared is false and owner's cross-origin isolated