Description
#4734 proposes that all crossOriginIsolated contexts be allowed to postMessage() SharedArrayBuffer. However, @ulan brought up the fact that this makes COOP+COEP adoption dangerous.
Consider the scenario where outer.com already embeds a semi-trusted inner.com. The decision to embed inner.com was made before COOP+COEP existed.
Now outer.com wants to use SharedArrayBuffer. So outer.com enables COOP+COEP, and convinces inner.com to add appropriate headers as well.
Suddenly outer.com is now vulnerable to Spectre attacks from inner.com. To restore the security they had in a pre-COOP+COEP world, they need to audit inner.com (and its transitive dependencies) to ensure that they do not abuse SharedArrayBuffer. In practice, this is likely not feasible.
We propose that SharedArrayBuffer not be automatically enabled in all crossOriginIsolated frames. Instead, we would define a new feature policy for SharedArrayBuffer and other potentially process-wide features (like the memory measurement API, or maybe precise performance.now()). This feature policy would have a default allowlist of 'self', so that same-origin frames can still use these APIs, but cross-origin frames would need to be explicitly delegated permission to use these APIs, with something like <iframe allow="powerful-features">. (Name TBD.)
/cc @mikewest since this seems rather related to https://github.com/mikewest/securer-contexts.