Infrastructure to enforce same-origin and same-agent-cluster for serializable objects

[annevk]

@jan-ivar had an interesting idea in w3c/webrtc-pc#2297 (comment). What if we provided dedicated infrastructure for common comparison operations?

The way I could see this work is that when you serialize your object you annotate it with "serialized.[[EnforceSameOrigin]] is true".

HTML's algorithm would check if that record field is there and if it is, add another record field [[EnforceOrigin]] and set it to the current origin. Then when deserializing if [[EnforceOrigin]] is there we do the check and throw if it fails.

We'd also support [[EnforceSameAgentCluster]] (which HTML would set [[EnforceAgentCluster]] for).

This would help with sharing logic between SharedArrayBuffer, WebAssembly.Module and RTCCertificate (only needs [[EnforceSameOrigin]]).

(I think implementations could eventually also use this to avoid sending data to the wrong process more easily, assuming processes are properly annotated, though @yutakahirano had some concerns here I think. See also #4734 (comment).)

cc @littledan @domenic

[domenic]

This general direction sounds good to me, although I'm a bit confused on some of the details.

We'd also support [[EnforceSameAgentCluster]] (which HTML would set [[EnforceAgentCluster]] for).

What is the purpose of [[EnforceSameAgentCluster]], and what is [[EnforceAgentCluster]]? Would more specs than just HTML use them?

This would help with sharing logic between SharedArrayBuffer, WebAssembly.Module and RTCCertificate (only needs [[EnforceSameOrigin]]).

If we do #4920, all of these would only require [[EnforceSameOrigin]], right?

The way I could see this work is that when you serialize your object you annotate it with "serialized.[[EnforceSameOrigin]] is true".

We could even make this easier by having [SameOriginTransferable] / [SameOriginSerializable] Web IDL extended attributes. (Or: [Transferable=SameOrigin], perhaps.) This feels a bit easier than having spec authors need to know the appropriate steps to set up their record.

[annevk]

You need both same agent cluster and same origin. Otherwise two different-process same-origin tabs could have shared memory, which doesn't work. (But those tabs should have access to RTCCertificate I think.)

I like making the setup part of the extended attributes, though ideally those translate into an internal slot for shared infrastructure with SharedArrayBuffer. (And yeah, two internal slots per check is not needed.)

[annevk]

@tabatkins if an IDL extended attribute takes one or more identifiers, how would you export those identifiers in a way that is compatible with https://tabatkins.github.io/bikeshed/#dfn-types?

[tabatkins]

Hmm, I don't think I'm really handling extended attribute values right now in the bikeshed model. I'll have to think on it.

[annevk]

I'm no longer convinced this is worth it, unless there are more objects that want to be limited to an agent cluster. The fake origin restriction is not great and might give a false sense of security.