Refine crossOriginIsolated implementation for workers

 - Fix WindowOrWorketGlobalScope.crossOriginIsolated behavior for
   workers.
   - For SharedWorkers and ServiceWorkers it always return false. See
     https://crbug.com/1131403 and https://crbug.com/1131404.
 - Rename ExecutionContext::IsCrossOriginIsolated to
   CrossOriginCapability. This is aligned with
   https://html.spec.whatwg.org/C/#concept-settings-object-cross-origin-isolated-capability.
 - Fix wpt/html/infrastructure/safe-passing-of-structured-data/shared-array-buffers/blob-data.https.html.
   I originally planned to do that in
   web-platform-tests/wpt#24600 but I couldn't
   do that due to some flakiness.
 - Add more tests for workers in
   wpt/html/cross-origin-embedder-policy/cross-origin-isolated-permission.https.html.

Bug: 1115379, 1018680, 1131403, 1131404
Change-Id: I2afcb01403f67a11fd06aefde1238aba16b68f36
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2416428
Commit-Queue: Yutaka Hirano <yhirano@chromium.org>
Reviewed-by: Domenic Denicola <domenic@chromium.org>
Reviewed-by: Robert Flack <flackr@chromium.org>
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Cr-Commit-Position: refs/heads/master@{#810130}

third_party/blink/renderer/core/execution_context/execution_context.cc

@@ -177,12 +177,6 @@ unsigned ExecutionContext::ContextLifecycleStateObserverCountForTesting()
   return lifecycle_state_observers;
 }
 
-bool ExecutionContext::IsCrossOriginIsolated() const {
-  return Agent::IsCrossOriginIsolated() &&
-         IsFeatureEnabled(
-             mojom::blink::FeaturePolicyFeature::kCrossOriginIsolated);
-}
-
 void ExecutionContext::AddConsoleMessageImpl(mojom::ConsoleMessageSource source,
                                              mojom::ConsoleMessageLevel level,
                                              const String& message,

third_party/blink/renderer/core/execution_context/execution_context.h

@@ -61,7 +61,7 @@
 namespace base {
 class SingleThreadTaskRunner;
 class UnguessableToken;
-}
+}  // namespace base
 
 namespace ukm {
 class UkmRecorder;
@@ -374,7 +374,8 @@ class CORE_EXPORT ExecutionContext : public Supplementable<ExecutionContext>,
   unsigned ContextLifecycleStateObserverCountForTesting() const;
 
   // Implementation of WindowOrWorkerGlobalScope.crossOriginIsolated.
-  bool IsCrossOriginIsolated() const;
+  // https://html.spec.whatwg.org/C/webappapis.html#concept-settings-object-cross-origin-isolated-capability
+  virtual bool CrossOriginIsolatedCapability() const = 0;
 
   virtual ukm::UkmRecorder* UkmRecorder() { return nullptr; }
   virtual ukm::SourceId UkmSourceID() const { return ukm::kInvalidSourceId; }

third_party/blink/renderer/core/frame/local_dom_window.cc

@@ -2050,6 +2050,12 @@ void LocalDOMWindow::Trace(Visitor* visitor) const {
   Supplementable<LocalDOMWindow>::Trace(visitor);
 }
 
+bool LocalDOMWindow::CrossOriginIsolatedCapability() const {
+  return Agent::IsCrossOriginIsolated() &&
+         IsFeatureEnabled(
+             mojom::blink::FeaturePolicyFeature::kCrossOriginIsolated);
+}
+
 ukm::UkmRecorder* LocalDOMWindow::UkmRecorder() {
   DCHECK(document_);
   return document_->UkmRecorder();

third_party/blink/renderer/core/frame/local_dom_window.h

@@ -407,6 +407,8 @@ class CORE_EXPORT LocalDOMWindow final : public DOMWindow,
 
   void ClearIsolatedWorldCSPForTesting(int32_t world_id);
 
+  bool CrossOriginIsolatedCapability() const override;
+
   // These delegate to the document_.
   ukm::UkmRecorder* UkmRecorder() override;
   ukm::SourceId UkmSourceID() const override;

third_party/blink/renderer/core/frame/window_or_worker_global_scope.cc

@@ -248,7 +248,7 @@ ScriptPromise WindowOrWorkerGlobalScope::createImageBitmap(
 
 bool WindowOrWorkerGlobalScope::crossOriginIsolated(
     const ExecutionContext& execution_context) {
-  return execution_context.IsCrossOriginIsolated();
+  return execution_context.CrossOriginIsolatedCapability();
 }
 
 }  // namespace blink

third_party/blink/renderer/core/inspector/inspector_page_agent.cc

@@ -1077,7 +1077,7 @@ protocol::Page::SecureContextType CreateProtocolSecureContextType(
 }
 protocol::Page::CrossOriginIsolatedContextType
 CreateProtocolCrossOriginIsolatedContextType(ExecutionContext* context) {
-  if (context->IsCrossOriginIsolated()) {
+  if (context->CrossOriginIsolatedCapability()) {
     return protocol::Page::CrossOriginIsolatedContextTypeEnum::Isolated;
   } else if (context->IsFeatureEnabled(
                  mojom::blink::FeaturePolicyFeature::kCrossOriginIsolated)) {

third_party/blink/renderer/core/layout/ng/custom/layout_worklet_global_scope_proxy.cc

@@ -52,7 +52,8 @@ LayoutWorkletGlobalScopeProxy::LayoutWorkletGlobalScopeProxy(
       mojom::blink::V8CacheOptions::kDefault, module_responses_map,
       mojo::NullRemote() /* browser_interface_broker */,
       BeginFrameProviderParams(), nullptr /* parent_feature_policy */,
-      window->GetAgentClusterID(), window->GetExecutionContextToken());
+      window->GetAgentClusterID(), window->GetExecutionContextToken(),
+      window->CrossOriginIsolatedCapability());
   global_scope_ = LayoutWorkletGlobalScope::Create(
       frame, std::move(creation_params), *reporting_proxy_,
       pending_layout_registry);

third_party/blink/renderer/core/testing/null_execution_context.h

@@ -46,7 +46,7 @@ class NullExecutionContext : public GarbageCollected<NullExecutionContext>,
   void SetUpSecurityContextForTesting();
 
   ResourceFetcher* Fetcher() const override { return nullptr; }
-
+  bool CrossOriginIsolatedCapability() const override { return false; }
   FrameOrWorkerScheduler* GetScheduler() override;
   scoped_refptr<base::SingleThreadTaskRunner> GetTaskRunner(TaskType) override;
 

third_party/blink/renderer/core/workers/dedicated_worker.cc

@@ -450,7 +450,8 @@ DedicatedWorker::CreateGlobalScopeCreationParams(
       std::move(browser_interface_broker_), CreateBeginFrameProviderParams(),
       GetExecutionContext()->GetSecurityContext().GetFeaturePolicy(),
       GetExecutionContext()->GetAgentClusterID(),
-      GetExecutionContext()->GetExecutionContextToken());
+      GetExecutionContext()->GetExecutionContextToken(),
+      GetExecutionContext()->CrossOriginIsolatedCapability());
 }
 
 scoped_refptr<WebWorkerFetchContext>

third_party/blink/renderer/core/workers/dedicated_worker_global_scope.cc

@@ -40,6 +40,7 @@
 #include "third_party/blink/renderer/bindings/core/v8/serialization/serialized_script_value.h"
 #include "third_party/blink/renderer/bindings/core/v8/v8_post_message_options.h"
 #include "third_party/blink/renderer/bindings/core/v8/worker_or_worklet_script_controller.h"
+#include "third_party/blink/renderer/core/execution_context/agent.h"
 #include "third_party/blink/renderer/core/execution_context/execution_context.h"
 #include "third_party/blink/renderer/core/frame/csp/content_security_policy.h"
 #include "third_party/blink/renderer/core/inspector/worker_thread_debugger.h"
@@ -75,11 +76,13 @@ DedicatedWorkerGlobalScope* DedicatedWorkerGlobalScope::Create(
       creation_params->referrer_policy;
   base::Optional<network::mojom::IPAddressSpace> response_address_space =
       creation_params->response_address_space;
+  const bool parent_cross_origin_isolated_capability =
+      creation_params->parent_cross_origin_isolated_capability;
 
   auto* global_scope = MakeGarbageCollected<DedicatedWorkerGlobalScope>(
       std::move(creation_params), thread, time_origin,
       std::move(outside_origin_trial_tokens), begin_frame_provider_params,
-      ukm_source_id);
+      ukm_source_id, parent_cross_origin_isolated_capability);
 
   if (global_scope->IsOffMainThreadScriptFetchDisabled()) {
     // Legacy on-the-main-thread worker script fetch (to be removed):
@@ -123,32 +126,43 @@ DedicatedWorkerGlobalScope::DedicatedWorkerGlobalScope(
     base::TimeTicks time_origin,
     std::unique_ptr<Vector<String>> outside_origin_trial_tokens,
     const BeginFrameProviderParams& begin_frame_provider_params,
-    ukm::SourceId ukm_source_id)
+    ukm::SourceId ukm_source_id,
+    bool parent_cross_origin_isolated_capability)
     : DedicatedWorkerGlobalScope(
           ParseCreationParams(std::move(creation_params)),
           thread,
           time_origin,
           std::move(outside_origin_trial_tokens),
           begin_frame_provider_params,
-          ukm_source_id) {}
+          ukm_source_id,
+          parent_cross_origin_isolated_capability) {}
 
 DedicatedWorkerGlobalScope::DedicatedWorkerGlobalScope(
     ParsedCreationParams parsed_creation_params,
     DedicatedWorkerThread* thread,
     base::TimeTicks time_origin,
     std::unique_ptr<Vector<String>> outside_origin_trial_tokens,
     const BeginFrameProviderParams& begin_frame_provider_params,
-    ukm::SourceId ukm_source_id)
+    ukm::SourceId ukm_source_id,
+    bool parent_cross_origin_isolated_capability)
     : WorkerGlobalScope(std::move(parsed_creation_params.creation_params),
                         thread,
                         time_origin,
                         ukm_source_id),
       token_(thread->WorkerObjectProxy().token()),
       parent_token_(parsed_creation_params.parent_context_token),
+      cross_origin_isolated_capability_(Agent::IsCrossOriginIsolated()),
       animation_frame_provider_(
           MakeGarbageCollected<WorkerAnimationFrameProvider>(
               this,
               begin_frame_provider_params)) {
+  // https://html.spec.whatwg.org/C/#run-a-worker
+  // Step 14.10 "If shared is false and owner's cross-origin isolated
+  // capability is false, then set worker global scope's cross-origin isolated
+  // capability to false."
+  if (!parent_cross_origin_isolated_capability) {
+    cross_origin_isolated_capability_ = false;
+  }
   // Dedicated workers don't need to pause after script fetch.
   ReadyToRunWorkerScript();
   // Inherit the outside's origin trial tokens.
@@ -169,21 +183,21 @@ void DedicatedWorkerGlobalScope::Initialize(
     const Vector<CSPHeaderAndType>& /* response_csp_headers */,
     const Vector<String>* /* response_origin_trial_tokens */,
     int64_t appcache_id) {
-  // Step 12.3. "Set worker global scope's url to response's url."
+  // Step 14.3. "Set worker global scope's url to response's url."
   InitializeURL(response_url);
 
-  // Step 12.4. "Set worker global scope's HTTPS state to response's HTTPS
+  // Step 14.4. "Set worker global scope's HTTPS state to response's HTTPS
   // state."
   // This is done in the constructor of WorkerGlobalScope.
 
-  // Step 12.5. "Set worker global scope's referrer policy to the result of
+  // Step 14.5. "Set worker global scope's referrer policy to the result of
   // parsing the `Referrer-Policy` header of response."
   SetReferrerPolicy(response_referrer_policy);
 
   // https://wicg.github.io/cors-rfc1918/#integration-html
   SetAddressSpace(response_address_space);
 
-  // Step 12.6. "Execute the Initialize a global object's CSP list algorithm
+  // Step 14.6. "Execute the Initialize a global object's CSP list algorithm
   // on worker global scope and response. [CSP]"
   // DedicatedWorkerGlobalScope inherits the outside's CSP instead of the
   // response CSP headers. These should be called after SetAddressSpace() to
@@ -200,6 +214,12 @@ void DedicatedWorkerGlobalScope::Initialize(
 
   // TODO(https://crbug.com/945673): Notify an application cache host of
   // |appcache_id| here to support AppCache with PlzDedicatedWorker.
+
+  // Step 14.11. "If is shared is false and response's url's scheme is "data",
+  // then set worker global scope's cross-origin isolated capability to false."
+  if (response_url.ProtocolIsData()) {
+    cross_origin_isolated_capability_ = false;
+  }
 }
 
 // https://html.spec.whatwg.org/C/#worker-processing-model

third_party/blink/renderer/core/workers/dedicated_worker_global_scope.h

@@ -69,7 +69,8 @@ class CORE_EXPORT DedicatedWorkerGlobalScope final : public WorkerGlobalScope {
       base::TimeTicks time_origin,
       std::unique_ptr<Vector<String>> outside_origin_trial_tokens,
       const BeginFrameProviderParams& begin_frame_provider_params,
-      ukm::SourceId ukm_source_id);
+      ukm::SourceId ukm_source_id,
+      bool parent_cross_origin_isolated_capability);
 
   ~DedicatedWorkerGlobalScope() override;
 
@@ -135,6 +136,9 @@ class CORE_EXPORT DedicatedWorkerGlobalScope final : public WorkerGlobalScope {
   // Returns the token that uniquely identifies this worker.
   const DedicatedWorkerToken& GetDedicatedWorkerToken() const { return token_; }
   WorkerToken GetWorkerToken() const final { return token_; }
+  bool CrossOriginIsolatedCapability() const final {
+    return cross_origin_isolated_capability_;
+  }
   ExecutionContextToken GetExecutionContextToken() const final {
     return token_;
   }
@@ -166,7 +170,8 @@ class CORE_EXPORT DedicatedWorkerGlobalScope final : public WorkerGlobalScope {
       base::TimeTicks time_origin,
       std::unique_ptr<Vector<String>> outside_origin_trial_tokens,
       const BeginFrameProviderParams& begin_frame_provider_params,
-      ukm::SourceId ukm_source_id);
+      ukm::SourceId ukm_source_id,
+      bool parent_cross_origin_isolated_capability);
 
   void DidReceiveResponseForClassicScript(
       WorkerClassicScriptLoader* classic_script_loader);
@@ -179,6 +184,7 @@ class CORE_EXPORT DedicatedWorkerGlobalScope final : public WorkerGlobalScope {
   const DedicatedWorkerToken token_;
   // The ID of the parent context that owns this worker.
   const ExecutionContextToken parent_token_;
+  bool cross_origin_isolated_capability_;
   Member<WorkerAnimationFrameProvider> animation_frame_provider_;
   RejectCoepUnsafeNone reject_coep_unsafe_none_ = RejectCoepUnsafeNone(false);
 };

third_party/blink/renderer/core/workers/global_scope_creation_params.cc

@@ -38,7 +38,8 @@ GlobalScopeCreationParams::GlobalScopeCreationParams(
     BeginFrameProviderParams begin_frame_provider_params,
     const FeaturePolicy* parent_feature_policy,
     base::UnguessableToken agent_cluster_id,
-    const base::Optional<ExecutionContextToken>& parent_context_token)
+    const base::Optional<ExecutionContextToken>& parent_context_token,
+    bool parent_cross_origin_isolated_capability)
     : script_url(script_url.Copy()),
       script_type(script_type),
       global_scope_name(global_scope_name.IsolatedCopy()),
@@ -65,7 +66,9 @@ GlobalScopeCreationParams::GlobalScopeCreationParams(
           ParsedFeaturePolicy() /* container_policy */,
           starter_origin->ToUrlOrigin())),
       agent_cluster_id(agent_cluster_id),
-      parent_context_token(parent_context_token) {
+      parent_context_token(parent_context_token),
+      parent_cross_origin_isolated_capability(
+          parent_cross_origin_isolated_capability) {
   this->outside_content_security_policy_headers.ReserveInitialCapacity(
       outside_content_security_policy_headers.size());
   for (const auto& header : outside_content_security_policy_headers) {

third_party/blink/renderer/core/workers/global_scope_creation_params.h

@@ -66,7 +66,8 @@ struct CORE_EXPORT GlobalScopeCreationParams final {
       const FeaturePolicy* parent_feature_policy = nullptr,
       base::UnguessableToken agent_cluster_id = {},
       const base::Optional<ExecutionContextToken>& parent_context_token =
-          base::nullopt);
+          base::nullopt,
+      bool parent_cross_origin_isolated_capability = false);
 
   ~GlobalScopeCreationParams() = default;
 
@@ -168,6 +169,10 @@ struct CORE_EXPORT GlobalScopeCreationParams final {
   // this worker/worklet is bound. This is used for resource usage attribution.
   base::Optional<ExecutionContextToken> parent_context_token;
 
+  // https://html.spec.whatwg.org/C/#concept-settings-object-cross-origin-isolated-capability
+  // Used by dedicated workers, and set to false when there is no parent.
+  const bool parent_cross_origin_isolated_capability;
+
   DISALLOW_COPY_AND_ASSIGN(GlobalScopeCreationParams);
 };
 

third_party/blink/renderer/core/workers/shared_worker_global_scope.cc

@@ -37,6 +37,7 @@
 #include "third_party/blink/renderer/bindings/core/v8/source_location.h"
 #include "third_party/blink/renderer/bindings/core/v8/worker_or_worklet_script_controller.h"
 #include "third_party/blink/renderer/core/events/message_event.h"
+#include "third_party/blink/renderer/core/execution_context/agent.h"
 #include "third_party/blink/renderer/core/frame/local_dom_window.h"
 #include "third_party/blink/renderer/core/inspector/console_message.h"
 #include "third_party/blink/renderer/core/inspector/worker_thread_debugger.h"
@@ -284,4 +285,10 @@ void SharedWorkerGlobalScope::Trace(Visitor* visitor) const {
   visitor->Trace(appcache_host_);
   WorkerGlobalScope::Trace(visitor);
 }
+
+bool SharedWorkerGlobalScope::CrossOriginIsolatedCapability() const {
+  // TODO(crbug.com/1131403): Return Agent::IsCrossOriginIsolated().
+  return false;
+}
+
 }  // namespace blink

third_party/blink/renderer/core/workers/shared_worker_global_scope.h

@@ -101,6 +101,7 @@ class CORE_EXPORT SharedWorkerGlobalScope final : public WorkerGlobalScope {
   // Returns the token that uniquely identifies this worker.
   const SharedWorkerToken& GetSharedWorkerToken() const { return token_; }
   WorkerToken GetWorkerToken() const final { return token_; }
+  bool CrossOriginIsolatedCapability() const final;
   ExecutionContextToken GetExecutionContextToken() const final {
     return token_;
   }

third_party/blink/renderer/core/workers/threaded_worklet_messaging_proxy.cc

@@ -72,7 +72,8 @@ void ThreadedWorkletMessagingProxy::Initialize(
           mojom::blink::V8CacheOptions::kDefault, module_responses_map,
           mojo::NullRemote() /* browser_interface_broker */,
           BeginFrameProviderParams(), nullptr /* parent_feature_policy */,
-          window->GetAgentClusterID(), window->GetExecutionContextToken());
+          window->GetAgentClusterID(), window->GetExecutionContextToken(),
+          window->CrossOriginIsolatedCapability());
 
   // Worklets share the pre-initialized backing thread so that we don't have to
   // specify the backing thread startup data.
@@ -123,7 +124,7 @@ ThreadedWorkletMessagingProxy::CreateObjectProxy(
 }
 
 ThreadedWorkletObjectProxy&
-    ThreadedWorkletMessagingProxy::WorkletObjectProxy() {
+ThreadedWorkletMessagingProxy::WorkletObjectProxy() {
   DCHECK(worklet_object_proxy_);
   return *worklet_object_proxy_;
 }

third_party/blink/renderer/core/workers/worker_thread_test_helper.h

@@ -109,6 +109,7 @@ class FakeWorkerGlobalScope : public WorkerGlobalScope {
 
   // Returns a token uniquely identifying this fake worker.
   WorkerToken GetWorkerToken() const final { return token_; }
+  bool CrossOriginIsolatedCapability() const final { return false; }
   ExecutionContextToken GetExecutionContextToken() const final {
     return token_;
   }

third_party/blink/renderer/core/workers/worklet_global_scope.h

@@ -64,6 +64,7 @@ class CORE_EXPORT WorkletGlobalScope
   CoreProbeSink* GetProbeSink() final;
   scoped_refptr<base::SingleThreadTaskRunner> GetTaskRunner(TaskType) final;
   FrameOrWorkerScheduler* GetScheduler() final;
+  bool CrossOriginIsolatedCapability() const final { return false; }
   ukm::UkmRecorder* UkmRecorder() final;
 
   // WorkerOrWorkletGlobalScope

third_party/blink/renderer/modules/csspaint/paint_worklet_global_scope_proxy.cc

@@ -51,7 +51,8 @@ PaintWorkletGlobalScopeProxy::PaintWorkletGlobalScopeProxy(
       mojom::blink::V8CacheOptions::kDefault, module_responses_map,
       mojo::NullRemote() /* browser_interface_broker */,
       BeginFrameProviderParams(), nullptr /* parent_feature_policy */,
-      window->GetAgentClusterID(), window->GetExecutionContextToken());
+      window->GetAgentClusterID(), window->GetExecutionContextToken(),
+      window->CrossOriginIsolatedCapability());
   global_scope_ = PaintWorkletGlobalScope::Create(
       frame, std::move(creation_params), *reporting_proxy_);
 }

third_party/blink/renderer/modules/service_worker/service_worker_global_scope.cc

@@ -62,6 +62,7 @@
 #include "third_party/blink/renderer/bindings/modules/v8/v8_notification_event_init.h"
 #include "third_party/blink/renderer/bindings/modules/v8/v8_payment_request_event_init.h"
 #include "third_party/blink/renderer/core/dom/events/event.h"
+#include "third_party/blink/renderer/core/execution_context/agent.h"
 #include "third_party/blink/renderer/core/execution_context/execution_context.h"
 #include "third_party/blink/renderer/core/fetch/global_fetch.h"
 #include "third_party/blink/renderer/core/frame/reporting_context.h"
@@ -826,6 +827,11 @@ int ServiceWorkerGlobalScope::GetOutstandingThrottledLimit() const {
   return features::kInstallingServiceWorkerOutstandingThrottledLimit.Get();
 }
 
+bool ServiceWorkerGlobalScope::CrossOriginIsolatedCapability() const {
+  // TODO(crbug.com/1131404): Return Agent::IsCrossOriginIsolated().
+  return false;
+}
+
 void ServiceWorkerGlobalScope::importScripts(const Vector<String>& urls) {
   for (const String& string_url : urls) {
     KURL completed_url = CompleteURL(string_url);
@@ -2450,9 +2456,8 @@ void ServiceWorkerGlobalScope::NoteRespondedToFetchEvent(
 }
 
 void ServiceWorkerGlobalScope::RecordQueuingTime(base::TimeTicks created_time) {
-  base::UmaHistogramMediumTimes(
-      "ServiceWorker.FetchEvent.QueuingTime",
-      base::TimeTicks::Now() - created_time);
+  base::UmaHistogramMediumTimes("ServiceWorker.FetchEvent.QueuingTime",
+                                base::TimeTicks::Now() - created_time);
 }
 
 }  // namespace blink