Add the Origin-Isolation header

See https://github.com/WICG/origin-isolation.

Author: domenic

source

@@ -2460,7 +2460,8 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
 
     <ul class="brief">
      <li><dfn data-x="http-structured-header" data-x-href="https://httpwg.org/http-extensions/draft-ietf-httpbis-header-structure.html">structured header</dfn></li>
-     <li><dfn data-x="http-structured-header-token" data-x-href="https://httpwg.org/http-extensions/draft-ietf-httpbis-header-structure.html#token">structured header tokens</dfn></li>
+     <li><dfn data-x="http-structured-header-token" data-x-href="https://httpwg.org/http-extensions/draft-ietf-httpbis-header-structure.html#token">token</dfn></li>
+     <li><dfn data-x="http-structured-header-boolean" data-x-href="https://httpwg.org/http-extensions/draft-ietf-httpbis-header-structure.html#boolean">boolean</dfn></li>
     </ul>
 
     <p>The following terms are defined in <cite>MIME Sniffing</cite>: <ref spec=MIMESNIFF></p>
@@ -2868,6 +2869,18 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
    </dd>
 
 
+   <dt>WebAssembly</dt>
+
+   <dd>
+    <p>The following term is defined in <cite>WebAssembly JavaScript Interface</cite>: <ref
+    spec=WASMJS></p>
+
+    <ul class="brief">
+     <li><dfn data-x-href="https://webassembly.github.io/spec/js-api/#module"><code>WebAssembly.Module</code></dfn></li>
+    </ul>
+   </dd>
+
+
    <dt>DOM</dt>
 
    <dd>
@@ -76616,7 +76629,7 @@ popup4.close();</code></pre></div>
 
    <li><p>Let <var>agent</var> be the result of <span
    data-x="obtain-similar-origin-window-agent">obtaining a similar-origin window agent</span> given
-   <var>origin</var> and <var>group</var>.</p></li>
+   <var>origin</var>, <var>group</var>, and false.</p></li>
 
    <li>
     <p>Let <var>realm execution context</var> be the result of <span>creating a new JavaScript
@@ -77211,6 +77224,15 @@ console.assert(iframeWindow.frameElement === null);
   isolated</span> is under discussion in <a href="https://github.com/whatwg/html/pull/4734">issue
   #4734</a>.</p>
 
+  <p>A <span>browsing context group</span> has an associated <dfn>historical agent cluster key
+  map</dfn>, which is a <span data-x="ordered map">map</span> of <span
+  data-x="origin">origins</span> to <span data-x="agent cluster key">agent cluster keys</span>. This
+  map is used to ensure the consistency of the <a href="#origin-isolation">origin isolation</a>
+  feature by recording what agent cluster keys were previously used for a given origin.</p>
+
+  <p class="note">The <span>historical agent cluster key map</span> only ever gains entries over the
+  lifetime of the browsing context group.</p>
+
   <p>To <dfn data-x="creating a new browsing context group">create a new browsing context
   group</dfn>, run these steps:</p>
 
@@ -77910,6 +77932,7 @@ interface <dfn data-export="" data-dfn-type="interface">Window</dfn> : <span>Eve
   // the user agent
   readonly attribute <span>Navigator</span> <span data-x="dom-navigator">navigator</span>; <!-- IE also has window.clientInformation === window.navigator -->
   [SecureContext] readonly attribute <span>ApplicationCache</span> <span data-x="dom-applicationCache">applicationCache</span>;
+  [SecureContext] readonly attribute boolean <span data-x="dom-originIsolationRestricted">originIsolationRestricted</span>;
 
   // user prompts
   void <span data-x="dom-alert">alert</span>();
@@ -79534,7 +79557,8 @@ interface <dfn>BarProp</dfn> {
     <p>Can be set to a value that removes subdomains, to change the <span>origin</span>'s <span
     data-x="concept-origin-domain">domain</span> to allow pages on other subdomains of the same
     domain (if they do the same thing) to access each other. (Can't be set in sandboxed
-    <code>iframe</code>s.)</p>
+    <code>iframe</code>s, and setting it will do nothing if the <code>Document</code> is <a
+    href="#origin-isolation">origin-isolated</a>.)</p>
    </dd>
   </dl>
 
@@ -79579,38 +79603,34 @@ interface <dfn>BarProp</dfn> {
    <li><p>Return true.</p></li>
   </ol>
 
-  <p>The <dfn><code data-x="dom-document-domain">domain</code></dfn> attribute's getter must run
-  these steps:</p>
+  <p>The <dfn><code data-x="dom-document-domain">domain</code></dfn> getter steps are:</p>
 
   <ol>
-   <li><p>Let <var>effectiveDomain</var> be this <code>Document</code> object's
-   <span>origin</span>'s <span data-x="concept-origin-effective-domain">effective domain</span>.
+   <li><p>Let <var>effectiveDomain</var> be <span>this</span>'s <span>origin</span>'s <span
+   data-x="concept-origin-effective-domain">effective domain</span>.
 
    <li><p>If <var>effectiveDomain</var> is null, then return the empty string.</p></li>
 
    <li><p>Return <var>effectiveDomain</var>, <span data-x="host
    serializer">serialized</span>.</p></li>
   </ol>
 
-  <p>The <code data-x="dom-document-domain">domain</code> attribute's setter must run these
-  steps:</p>
+  <p>The <code data-x="dom-document-domain">domain</code> setter steps are:</p>
 
   <ol>
-   <li><p>If this <code>Document</code> object's <span data-x="concept-document-bc">browsing
-   context</span> is null, then throw a <span>"<code>SecurityError</code>"</span>
-   <code>DOMException</code>.</p></li>
+   <li><p>If <span>this</span>'s <span data-x="concept-document-bc">browsing context</span> is null,
+   then throw a <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
-   <li><p>If this <code>Document</code> object's <span>active sandboxing flag set</span> has its
-   <span>sandboxed <code data-x="dom-document-domain">document.domain</code> browsing context
-   flag</span> set, then throw a <span>"<code>SecurityError</code>"</span>
-   <code>DOMException</code>.</p></li>
+   <li><p>If <span>this</span>'s <span>active sandboxing flag set</span> has its <span>sandboxed
+   <code data-x="dom-document-domain">document.domain</code> browsing context flag</span> set, then
+   throw a <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
-   <li><p>If this <code>Document</code> object is not <span>allowed to use</span> the "<code
+   <li><p>If <span>this</span> is not <span>allowed to use</span> the "<code
    data-x="document-domain-feature">document-domain</code>" feature, then throw a
    <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
-   <li><p>Let <var>effectiveDomain</var> be this <code>Document</code> object's
-   <span>origin</span>'s <span data-x="concept-origin-effective-domain">effective domain</span>.
+   <li><p>Let <var>effectiveDomain</var> be <span>this</span>'s <span>origin</span>'s <span
+   data-x="concept-origin-effective-domain">effective domain</span>.
 
    <li><p>If <var>effectiveDomain</var> is null, then throw a
    <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
@@ -79619,7 +79639,18 @@ interface <dfn>BarProp</dfn> {
    a registrable domain suffix of and is not equal to</span> <var>effectiveDomain</var>, then throw
    a <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
-   <li><p>Set this <code>Document</code> object's <span>origin</span>'s <span
+   <li>
+    <p>If the <span>surrounding agent</span>'s <span>agent cluster</span>'s <span>origin-isolation
+    restricted</span> is true, then return.</p>
+
+    <p class="note">In this case the <code>Document</code> is <a
+    href="#origin-isolation">origin-isolated</a>, either explicitly by using the `<code
+    data-x="http-origin-isolation">Origin-Isolation</code>` header, or automatically because a
+    previous same-origin <code>Document</code> in the same <span>browsing context group</span> used
+    the header.</p>
+   </li>
+
+   <li><p>Set <span>this</span>'s <span>origin</span>'s <span
    data-x="concept-origin-domain">domain</span> to the result of <span data-x="host
    parser">parsing</span> the given value.</p></li>
   </ol>
@@ -79637,6 +79668,69 @@ interface <dfn>BarProp</dfn> {
   used.</p>
 
 
+  <h4>Origin isolation</h4>
+
+  <dl class="domintro">
+   <dt>window . <code subdfn data-x="dom-originIsolationRestricted">originIsolationRestricted</code></dt>
+
+   <dd>
+    <p>Returns true if the origin isolation restrictions are in place for this <code>Window</code>,
+    i.e., if the `<code data-x="http-origin-isolation">Origin-Isolation</code>` header has been used
+    to prevent using <code data-x="dom-document-domain">document.domain</code> or using
+    <code data-x="dom-window-postMessage">postMessage()</code> to send a
+    <code>WebAssembly.Module</code> to a cross-origin <code>Window</code>.</p>
+
+    <p>The returned value generally reflects whether the `<code
+    data-x="http-origin-isolation">Origin-Isolation</code>` HTTP response header was applied while
+    loading the current page. However, even if the header is omitted, the returned value can be
+    true, if the header was applied to a previously-loaded same-origin page in the
+    <code>Window</code>'s <span>browsing context group</span>. Similarly, even if the header was
+    present, the returned value can be false, if the header was omitted on a previously-loaded
+    same-origin page in the <code>Window</code>'s <span>browsing context group</span>.</p>
+   </dd>
+  </dl>
+
+  <p>A <code>Document</code> delivered over a <span data-x="Is environment settings object a secure
+  context?">secure context</span> can opt in to origin isolation, by using the `<code
+  data-x="http-origin-isolation">Origin-Isolation</code>` HTTP response header. This header is a
+  <span data-x="http-structured-header">structured header</span> whose value must be a <span
+  data-x="http-structured-header-boolean">boolean</span>. <ref spec=STRUCTURED-HEADERS></p>
+
+  <p><span w-nodev>Per the processing model in the <span data-x="create-the-document-object">create
+  and initialize a new <code>Document</code> object</span>, values</span><span
+  w-nohtml>Values</span> that are not the <span data-x="http-structured-header-boolean">structured
+  header boolean</span> true value (i.e., `<code data-x="">?1</code>`) will be ignored.</p>
+
+  <p>The consequences of using this header are that <span w-nodev>the resulting
+  <code>Document</code>'s <span>agent cluster key</span> is its <span>origin</span>, instead of the
+  <span data-x="obtain a site">corresponding site</span>. In terms of observable effects, this means
+  that </span>attempting to <a href="#relaxing-the-same-origin-restriction">relax the same-origin
+  restriction</a> using <code data-x="dom-document-domain">document.domain</code> will instead do
+  nothing, and it will not be possible to send <code>WebAssembly.Module</code> objects to
+  cross-origin <code>Document</code>s (even if they are <span>same site</span>). Behind the scenes,
+  this isolation can allow user agents to allocate implementation-specific resources corresponding
+  to <span data-x="agent cluster">agent clusters</span>, such as processes or threads, more
+  efficiently.</p>
+
+  <p>Note that within a <span>browsing context group</span>, the `<code
+  data-x="http-origin-isolation">Origin-Isolation</code>` header can never cause same-origin
+  <code>Document</code> objects to end up in different <span data-x="agent cluster">agent
+  clusters</span>, even if one sends the header and the other doesn't.<span w-nodev> This is
+  prevented by means of the <span>historical agent cluster key map</span>.</span></p>
+
+  <div w-nodev>
+
+  <p>The <dfn><code data-x="dom-originIsolationRestricted">originIsolationRestricted</code></dfn>
+  getter steps are to return the <span>surrounding agent</span>'s <span>agent cluster</span>'s
+  <span>origin-isolation restricted</span> value.</p>
+
+  <p class="note"><code>Document</code>s for which <span>obtain a site</span> returns an
+  <span>origin</span> can be considered unconditionally origin isolated; for them, the header has no
+  effect. In those cases the <code
+  data-x="dom-originIsolationRestricted">originIsolationRestricted</code> getter returns false,
+  since no additional restrictions were imposed by origin isolation.</p>
+
+  </div>
 
 
   <h3>Sandboxing</h3>
@@ -82705,10 +82799,20 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
     <p>Otherwise:</p>
 
     <ol>
+     <li><p>Let <var>oiHeader</var> be the result of <span
+     data-x="concept-response-header-list-get-structured-header">getting a structured header</span>
+     given `<code data-x="http-origin-isolation">Origin-Isolation</code>` and "<code
+     data-x="">item</code>" from <var>response</var>'s <span
+     data-x="concept-response-header-list">header list</span>.</p></li>
+
+     <li><p>Let <var>requestsOI</var> be true if <var>oiHeader</var> is not failure,
+     <var>oiHeader</var> is not null, and <var>oiHeader</var>[0] is the <span
+     data-x="http-structured-header-boolean">boolean</span> true.</p></li>
+
      <li><p>Let <var>agent</var> be the result of <span
-     data-x="obtain-similar-origin-window-agent">obtaining a similar-origin window agent</span> given
-     <var>origin</var> and <var>browsingContext</var>'s <span data-x="tlbc
-     group">group</span>.</p></li>
+     data-x="obtain-similar-origin-window-agent">obtaining a similar-origin window agent</span>
+     given <var>origin</var>, <var>browsingContext</var>'s <span data-x="tlbc group">group</span>,
+     and <var>requestsOI</var>.</p></li>
 
      <li>
       <p>Let <var>realm execution context</var> be the result of <span>creating a new JavaScript
@@ -89099,58 +89203,70 @@ import "https://example.com/foo/../module2.mjs";</code></pre>
 
   <div w-nodev>
 
+  <p>An <span>agent cluster</span> has an associated <dfn>origin-isolation restricted</dfn> boolean,
+  which is initially false.</p>
+
   <hr>
 
   <p>The following defines the allocation of the <span data-x="agent cluster">agent clusters</span>
   of <span data-x="similar-origin window agent">similar-origin window agents</span>.</p>
 
-  <p>An <dfn>agent cluster key</dfn> is a <span>site</span>.</p>
+  <p>An <dfn>agent cluster key</dfn> is a <span>site</span> or a <span
+  data-x="concept-origin-tuple">tuple origin</span> whose <span
+  data-x="concept-origin-host">host</span>'s <span>registrable domain</span> is non-null. I.e., an
+  <span>agent cluster key</span> can be either a <span>scheme-and-registrable-domain</span> or any
+  <span>origin</span>.</p>
 
-  <p class="XXX"><a href="https://github.com/whatwg/html/pull/4734">whatwg/html #4734</a> is
-  expected to widen <span>agent cluster key</span> (but not <span>site</span>) to encompass all
-  <span data-x="concept-origin-tuple">tuple origins</span>.</p>
+  <p id="obtain-browsing-agent-cluster">To <dfn data-x="obtain-similar-origin-window-agent">obtain a
+  similar-origin window agent</dfn>, given an <span>origin</span> <var>origin</var>, a
+  <span>browsing context group</span> <var>group</var>, and a boolean <var>requestsOI</var>, run
+  these steps:</p>
 
-  <p>To <dfn data-x="obtain-agent-cluster-key">obtain an agent cluster key</dfn>, given an origin
-  <var>origin</var>, return the result of <span data-x="obtain a site">obtaining a site</span> with
-  <var>origin</var>.</p>
+  <ol>
+   <li><p>Let <var>site</var> be the result of <span data-x="obtain a site">obtaining a site</span>
+   given <var>origin</var>.</p></li>
 
-  <p>To <dfn data-x="obtain-similar-origin-window-agent">obtain a similar-origin window agent</dfn>,
-  given an <span>origin</span> <var>origin</var> and <span>browsing context group</span>
-  <var>group</var>, run these steps:</p>
+   <li id="obtain-agent-cluster-key"><p>Let <var>key</var> be <var>site</var> and let
+   <var>oiRestricted</var> be false.</p></li>
 
-  <ol>
-   <li><p>Let <var>clusterKey</var> be the result of <span
-   data-x="obtain-agent-cluster-key" data-export="">obtaining an agent cluster key</span> given
-   <var>origin</var>.</p></li>
+   <li>
+    <p>If all of the following hold:</p>
 
-   <li><p>Let <var>agentCluster</var> be the result of <span
-   data-x="obtain-browsing-agent-cluster">obtaining a browsing context agent cluster</span> with
-   <var>group</var> and <var>clusterKey</var>.</p></li>
+    <ul class="brief">
+     <li><var>requestsOI</var> is true</li>
 
-   <li><p>Return the single <span>similar-origin window agent</span> contained in
-   <var>agentCluster</var>.</p></li>
-  </ol>
+     <li><var>site</var> is not equal to <var>origin</var></li>
 
-  <p>To <dfn data-x="obtain-browsing-agent-cluster">obtain a browsing context agent cluster</dfn>,
-  given a <span>browsing context group</span> <var>group</var> and <span>agent cluster key</span>
-  <var>key</var>, run these steps:</p>
+     <li><var>group</var>'s <span>historical agent cluster key map</span>[<var>origin</var>] either
+     <span data-x="map exists">does not exist</span> or equals <var>origin</var></li>
+    </ul>
+
+    <p>then set <var>key</var> to <var>origin</var> and set <var>oiRestricted</var> to true.</p>
+   </li>
 
-  <ol>
    <li>
     <p>If <var>group</var>'s <span>agent cluster map</span>[<var>key</var>] <span data-x="map
-    exists">does not exist, then:</span></p>
+    exists">does not exist</span>, then:</p>
+
     <ol>
      <li><p>Let <var>agentCluster</var> be a new <span>agent cluster</span>.</p></li>
 
      <li><p>Add the result of <span data-x="create an agent">creating an agent</span>, given false,
      to <var>agentCluster</var>.</p></li>
 
+     <li><p>Set <var>agentCluster</var>'s <span>origin-isolation restricted</span> to
+     <var>oiRestricted</var>.</p></li>
+
      <li><p>Set <var>group</var>'s <span>agent cluster map</span>[<var>key</var>] to
      <var>agentCluster</var>.</p></li>
+
+     <li><p>Set <var>group</var>'s <span>historical agent cluster key map</span>[<var>origin</var>]
+     to <var>key</var>.</p></li>
     </ol>
    </li>
 
-   <li><p>Return <var>group</var>'s <span>agent cluster map</span>[<var>key</var>].</p></li>
+   <li><p>Return the single <span>similar-origin window agent</span> contained in <var>group</var>'s
+   <span>agent cluster map</span>[<var>key</var>].</p></li>
   </ol>
 
   <p class="note">This means that there is only one <span>similar-origin window agent</span> per
@@ -116219,6 +116335,29 @@ interface <dfn>External</dfn> {
   </dl>
 
 
+  <h3>`<dfn><code data-x="http-origin-isolation">Origin-Isolation</code></dfn>`</h3>
+
+  <p>This section describes a header for registration in the Permanent Message Header Field
+  Registry. <ref spec=RFC3864></p>
+
+  <dl>
+   <dt>Header field name:</dt>
+   <dd>Origin-Isolation</dd>
+   <dt>Applicable protocol:</dt>
+   <dd>http</dd>
+   <dt>Status:</dt>
+   <dd>standard</dd>
+   <dt>Author/Change controller:</dt>
+   <dd>WHATWG</dd>
+   <dt>Specification document(s):</dt>
+   <dd>
+    This document is the relevant specification.
+   </dd>
+   <dt>Related information:</dt>
+   <dd>None.</dd>
+  </dl>
+
+
   <h3 id="ping-from">`<dfn><code data-x="http-ping-from">Ping-From</code></dfn>`</h3>
 
   <p>This section describes a header for registration in the Permanent Message Header Field