Add the Origin-Isolation header

domenic · domenic · commit c41ac691aad3 · 2020-07-10T12:22:12.000-04:00
See https://github.com/WICG/origin-isolation.
diff --git a/source b/source
@@ -2460,6 +2460,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
 
     <ul class="brief">
      <li><dfn data-x="http-structured-header" data-x-href="https://httpwg.org/http-extensions/draft-ietf-httpbis-header-structure.html">structured header</dfn></li>
+     <li><dfn data-x="http-structured-header-boolean" data-x-href="https://httpwg.org/http-extensions/draft-ietf-httpbis-header-structure.html#boolean">boolean</dfn></li>
      <li><dfn data-x="http-structured-header-token" data-x-href="https://httpwg.org/http-extensions/draft-ietf-httpbis-header-structure.html#token">token</dfn></li>
      <li><dfn data-x="http-structured-header-parameters" data-x-href="https://httpwg.org/http-extensions/draft-ietf-httpbis-header-structure.html#param">parameters</dfn></li>
     </ul>
@@ -2873,6 +2874,18 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
    </dd>
 
 
+   <dt>WebAssembly</dt>
+
+   <dd>
+    <p>The following term is defined in <cite>WebAssembly JavaScript Interface</cite>: <ref
+    spec=WASMJS></p>
+
+    <ul class="brief">
+     <li><dfn data-x-href="https://webassembly.github.io/spec/js-api/#module"><code>WebAssembly.Module</code></dfn></li>
+    </ul>
+   </dd>
+
+
    <dt>DOM</dt>
 
    <dd>
@@ -76788,7 +76801,7 @@ popup4.close();</code></pre></div>
 
    <li><p>Let <var>agent</var> be the result of <span
    data-x="obtain-similar-origin-window-agent">obtaining a similar-origin window agent</span> given
-   <var>origin</var> and <var>group</var>.</p></li>
+   <var>origin</var>, <var>group</var>, and false.</p></li>
 
    <li>
     <p>Let <var>realm execution context</var> be the result of <span>creating a new JavaScript
@@ -77383,6 +77396,15 @@ console.assert(iframeWindow.frameElement === null);
   <p>A <span>browsing context group</span> has a <dfn data-x="bcg cross-origin
   isolated">cross-origin isolated</dfn> boolean. It is initially false.</p>
 
+  <p>A <span>browsing context group</span> has an associated <dfn>historical agent cluster key
+  map</dfn>, which is a <span data-x="ordered map">map</span> of <span
+  data-x="origin">origins</span> to <span data-x="agent cluster key">agent cluster keys</span>. This
+  map is used to ensure the consistency of the <a href="#origin-isolation">origin isolation</a>
+  feature by recording what agent cluster keys were previously used for a given origin.</p>
+
+  <p class="note">The <span>historical agent cluster key map</span> only ever gains entries over the
+  lifetime of the browsing context group.</p>
+
   <p>To <dfn data-x="creating a new browsing context group">create a new browsing context
   group</dfn>, run these steps:</p>
 
@@ -78090,6 +78112,7 @@ interface <dfn data-export="" data-dfn-type="interface">Window</dfn> : <span>Eve
   // the user agent
   readonly attribute <span>Navigator</span> <span data-x="dom-navigator">navigator</span>; <!-- IE also has window.clientInformation === window.navigator -->
   [SecureContext] readonly attribute <span>ApplicationCache</span> <span data-x="dom-applicationCache">applicationCache</span>;
+  readonly attribute boolean <span data-x="dom-originIsolated">originIsolated</span>;
 
   // user prompts
   void <span data-x="dom-alert">alert</span>();
@@ -79730,8 +79753,8 @@ interface <dfn>BarProp</dfn> {
     data-x="concept-document-bc">browsing context</span>, and when the "<code
     data-x="document-domain-feature">document-domain</code>" feature is disabled, the setter will
     throw a <span>"<code>SecurityError</code>"</span> exception. In cases where <code
-    data-x="dom-crossOriginIsolated">crossOriginIsolated</code> returns true, the setter will do
-    nothing.</p>
+    data-x="dom-crossOriginIsolated">crossOriginIsolated</code> or <code
+    data-x="dom-originIsolated">originIsolated</code> return true, the setter will do nothing.</p>
    </dd>
   </dl>
 
@@ -79792,6 +79815,9 @@ interface <dfn>BarProp</dfn> {
    <li><p>If the <span>surrounding agent</span>'s <span>agent cluster</span>'s <span>cross-origin
    isolated</span> is true, then return.</p></li>
 
+   <li><p>If the <span>surrounding agent</span>'s <span>agent cluster</span>'s
+   <span>origin-isolated</span> is true, then return.</p></li>
+
    <li><p>Set <var>this</var>'s <span>origin</span>'s <span
    data-x="concept-origin-domain">domain</span> to the result of <span data-x="host
    parser">parsing</span> the given value.</p></li>
@@ -79840,6 +79866,66 @@ interface <dfn>BarProp</dfn> {
 
 
 
+  <h4>Origin isolation</h4>
+
+  <dl class="domintro">
+   <dt>window . <code subdfn data-x="dom-originIsolated">originIsolated</code></dt>
+
+   <dd>
+    <p>Returns true if this <code>Window</code> is origin-isolated in the manner described in this
+    section.</p>
+   </dd>
+  </dl>
+
+  <p>A <code>Document</code> delivered over a <span>secure context</span> can opt in to origin
+  isolation, by using the `<code data-x="http-origin-isolation">Origin-Isolation</code>` HTTP
+  response header. This header is a <span data-x="http-structured-header">structured header</span>
+  whose value must be a <span data-x="http-structured-header-boolean">boolean</span>. <ref
+  spec=STRUCTURED-HEADERS></p>
+
+  <p><span w-nodev>Per the processing model in the <span data-x="create-the-document-object">create
+  and initialize a new <code>Document</code> object</span>, values</span><span
+  w-nohtml>Values</span> that are not the <span data-x="http-structured-header-boolean">structured
+  header boolean</span> true value (i.e., `<code data-x="">?1</code>`) will be ignored.</p>
+
+  <p>The consequences of using this header are that <span w-nodev>the resulting
+  <code>Document</code>'s <span>agent cluster key</span> is its <span>origin</span>, instead of the
+  <span data-x="obtain a site">corresponding site</span>. In terms of observable effects, this means
+  that </span>attempting to <a href="#relaxing-the-same-origin-restriction">relax the same-origin
+  restriction</a> using <code data-x="dom-document-domain">document.domain</code> will instead do
+  nothing, and it will not be possible to send <code>WebAssembly.Module</code> objects to
+  cross-origin <code>Document</code>s (even if they are <span>same site</span>). Behind the scenes,
+  this isolation can allow user agents to allocate implementation-specific resources corresponding
+  to <span data-x="agent cluster">agent clusters</span>, such as processes or threads, more
+  efficiently.</p>
+
+  <p>Note that within a <span>browsing context group</span>, the `<code
+  data-x="http-origin-isolation">Origin-Isolation</code>` header can never cause same-origin
+  <code>Document</code> objects to end up in different <span data-x="agent cluster">agent
+  clusters</span>, even if one sends the header and the other doesn't.<span w-nodev> This is
+  prevented by means of the <span>historical agent cluster key map</span>.</span></p>
+
+  <p class="note">This means that the <code data-x="dom-originIsolated">originIsolated</code> getter
+  could return false, even if the header is set, if the header was omitted on a previously-loaded
+  same-origin page in the same <span>browsing context group</span>. Similarly, it could return true
+  even when the header is not set.</p>
+
+  <p w-nodev>The <dfn><code data-x="dom-originIsolated">originIsolated</code></dfn> getter steps are
+  to return the <span>surrounding agent</span>'s <span>agent cluster</span>'s
+  <span>origin-isolated</span>.</p>
+
+  <p class="note"><code>Document</code>s for which <span>obtain a site</span> returns an
+  <span>origin</span> can be considered unconditionally origin-isolated; for them the header has no
+  effect.</p>
+
+  <p class="note">Similarly, <code>Document</code>s in a <span>cross-origin isolated</span>
+  <span>agent cluster</span> are automatically origin-isolated, with no need for the additional
+  `<code data-x="http-origin-isolation">Origin-Isolation</code>` header on top of the `<code
+  data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</code>` and
+  `<code>Cross-Origin-Embedder-Policy</code>` headers used to achieve cross-origin isolation.</p>
+
+
+
   <h3>Sandboxing</h3>
 
   <p>A <dfn data-export="">sandboxing flag set</dfn> is a set of zero or more of the following
@@ -83197,10 +83283,24 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
     <p>Otherwise:</p>
 
     <ol>
+     <li><p>Let <var>oiHeader</var> be the result of <span
+     data-x="concept-response-header-list-get-structured-header">getting a structured header</span>
+     given `<code data-x="http-origin-isolation">Origin-Isolation</code>` and "<code
+     data-x="">item</code>" from <var>response</var>'s <span
+     data-x="concept-response-header-list">header list</span>.</p></li>
+
+     <li><p>Let <var>requestsOI</var> be true if <var>oiHeader</var> is not failure,
+     <var>oiHeader</var> is not null, and <var>oiHeader</var>[0] is the <span
+     data-x="http-structured-header-boolean">boolean</span> true.</p></li>
+
+     <li><p>If <var>reservedEnvironment</var> is a <span>non-secure context</span>, or
+     <var>response</var>'s <span>HTTPS state</span> is "<code data-x="">deprecated</code>", then
+     set <var>requestsOI</var> to false.</p></li>
+
      <li><p>Let <var>agent</var> be the result of <span
-     data-x="obtain-similar-origin-window-agent">obtaining a similar-origin window agent</span> given
-     <var>origin</var> and <var>browsingContext</var>'s <span data-x="tlbc
-     group">group</span>.</p></li>
+     data-x="obtain-similar-origin-window-agent">obtaining a similar-origin window agent</span>
+     given <var>origin</var>, <var>browsingContext</var>'s <span data-x="tlbc group">group</span>,
+     and <var>requestsOI</var>.</p></li>
 
      <li>
       <p>Let <var>realm execution context</var> be the result of <span>creating a new JavaScript
@@ -87073,10 +87173,13 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
   ensure that web developers see interoperable behavior with regard to shared memory, even in the
   face of varying and changing user agent process models.</p>
 
+  <div w-nodev>
+
   <p>An <span>agent cluster</span> has an associated <dfn>cross-origin isolated</dfn> (a boolean),
   which is initially false.</p>
 
-  <div w-nodev>
+  <p>An <span>agent cluster</span> has an associated <dfn>origin-isolated</dfn> (a boolean), which
+  is initially false.</p>
 
   <hr>
 
@@ -87090,16 +87193,44 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
   <span>origin</span>.</p>
 
   <p>To <dfn data-x="obtain-similar-origin-window-agent">obtain a similar-origin window agent</dfn>,
-  given an <span>origin</span> <var>origin</var> and <span>browsing context group</span>
-  <var>group</var>, run these steps:</p>
+  given an <span>origin</span> <var>origin</var>, a <span>browsing context group</span>
+  <var>group</var>, and a boolean <var>requestsOI</var>, run these steps:</p>
 
   <ol>
-   <li><p>Let <var>key</var> be the result of <span data-x="obtain a site">obtaining a
-   site</span> with <var>origin</var>.</p></li>
+   <li><p>Let <var>site</var> be the result of <span data-x="obtain a site">obtaining a site</span>
+   with <var>origin</var>.</p></li>
+
+   <li><p>Let <var>key</var> be <var>site</var>.</p></li>
 
    <li><p>If <var>group</var>'s <span data-x="bcg cross-origin isolated">cross-origin
    isolated</span> is true, then set <var>key</var> to <var>origin</var>.</p></li>
 
+   <li>
+    <p>If <var>group</var>'s <span>historical agent cluster key map</span>[<var>origin</var>]
+    <span data-x="map exists">exists</span>, then:</p>
+
+    <ol>
+     <li><p>Assert: if <var>group</var>'s <span data-x="bcg cross-origin isolated">cross-origin
+     isolated</span> is true, then <var>group</var>'s <span>historical agent cluster key
+     map</span>[<var>origin</var>] will be <var>origin</var>, and in that case the next step will be
+     a no-op. I.e., cross-origin isolation always implies origin isolation.</p></li>
+
+     <li><p>Set <var>key</var> to <var>group</var>'s <span>historical agent cluster key
+     map</span>[<var>origin</var>].</p></li>
+    </ol>
+   </li>
+
+   <li>
+    <p>Otherwise:</p>
+
+    <ol>
+     <li><p>If <var>requestsOI</var> is true, then set <var>key</var> to <var>origin</var>.</p></li>
+
+     <li><p>Set <var>group</var>'s <span>historical agent cluster key map</span>[<var>origin</var>]
+     to <var>key</var>.</p></li>
+    </ol>
+   </li>
+
    <li>
     <p>If <var>group</var>'s <span>agent cluster map</span>[<var>key</var>] <span data-x="map
     exists">does not exist</span>, then:</p>
@@ -87110,6 +87241,9 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
      <li><p>Set <var>agentCluster</var>'s <span>cross-origin isolated</span> to <var>group</var>'s
      <span data-x="bcg cross-origin isolated">cross-origin isolated</span>.</p></li>
 
+     <li><p>Set <var>agentCluster</var>'s <span>origin-isolated</span> to true if <var>key</var>
+     equals <var>origin</var>; otherwise false.</p></li>
+
      <li><p>Add the result of <span data-x="create an agent">creating an agent</span>, given false,
      to <var>agentCluster</var>.</p></li>
 
@@ -87139,8 +87273,22 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
   <ol>
    <li><p>Let <var>agentCluster</var> be null.
 
-   <li><p>If <var>isTopLevel</var> is true, then set <var>agentCluster</var> to a new <span>agent
-   cluster</span>.</p></li>
+   <li>
+    <p>If <var>isTopLevel</var> is true, then:</p>
+
+    <ol>
+     <li><p>Set <var>agentCluster</var> to a new <span>agent cluster</span>.</p></li>
+
+     <li>
+      <p>Set <var>agentCluster</var>'s <span>origin-isolated</span> to true.</p>
+
+      <p class="note">These workers/worklets can be considered to be origin-isolated. However, this
+      is not exposed through any APIs (in the way that <code
+      data-x="dom-originIsolated">originIsolated</code> exposes the origin-isolation state for
+      windows).</p>
+     </li>
+    </ol>
+   </li>
 
    <li>
     <p>Otherwise:</p>
@@ -116947,6 +117095,29 @@ interface <dfn>External</dfn> {
   </dl>
 
 
+  <h3>`<dfn><code data-x="http-origin-isolation">Origin-Isolation</code></dfn>`</h3>
+
+  <p>This section describes a header for registration in the Permanent Message Header Field
+  Registry. <ref spec=RFC3864></p>
+
+  <dl>
+   <dt>Header field name:</dt>
+   <dd>Origin-Isolation</dd>
+   <dt>Applicable protocol:</dt>
+   <dd>http</dd>
+   <dt>Status:</dt>
+   <dd>standard</dd>
+   <dt>Author/Change controller:</dt>
+   <dd>WHATWG</dd>
+   <dt>Specification document(s):</dt>
+   <dd>
+    This document is the relevant specification.
+   </dd>
+   <dt>Related information:</dt>
+   <dd>None.</dd>
+  </dl>
+
+
   <h3 id="ping-from">`<dfn><code data-x="http-ping-from">Ping-From</code></dfn>`</h3>
 
   <p>This section describes a header for registration in the Permanent Message Header Field
