Introduce the "cross-origin-isolated" permission

This allows a document to control whether nested documents can access
features that require cross-origin isolation, as an additional
restriction on top of requiring COOP+COEP.

Fixes #5435.

source

@@ -4193,6 +4193,10 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
     <li>"<dfn data-x="autoplay-feature"><code data-x="">autoplay</code></dfn>", which has a <span
     data-x="concept-default-allowlist">default allowlist</span> of <code
     data-x="">'self'</code>.</li>
+    <li>"<dfn data-x="cross-origin-isolated-feature"><code
+    data-x="">cross-origin-isolated</code></dfn>", which has a <span
+    data-x="concept-default-allowlist">default allowlist</span> of <code
+    data-x="">'self'</code>.</li>
     <li>"<dfn data-x="document-domain-feature"><code data-x="">document-domain</code></dfn>", which
     has a <span data-x="concept-default-allowlist">default allowlist</span> of <code
     data-x="">*</code>.</li>
@@ -79160,7 +79164,15 @@ interface <dfn>BarProp</dfn> {
      <dt>The <span data-x="concept-settings-object-embedder-policy">embedder policy</span></dt>
      <dd><p>Return <var>window</var>'s <span data-x="concept-document-window">associated
      <code>Document</code></span>'s <span data-x="concept-document-embedder-policy">embedder
-     policy</span>.</p>
+     policy</span>.</p></dd>
+
+     <dt>The <span data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin
+     isolated capability</span></dt>
+     <dd><p>Return the logical conjunction of <var>realm</var>'s <span>agent cluster</span>'s
+     <span>cross-origin isolated</span> and whether <var>window</var>'s <span
+     data-x="concept-document-window">associated <code>Document</code></span> is <span>allowed to
+     use</span> the "<code data-x="cross-origin-isolated-feature">cross-origin-isolated</code>"
+     feature.</p></dd>
     </dl>
    </li>
 
@@ -87604,6 +87616,12 @@ interface <dfn>ApplicationCache</dfn> : <span>EventTarget</span> {
    check">cross-origin resource policy checks</span> for <span data-x="concept-fetch">fetches</span>
    performed using this <span>environment settings object</span> as a <span
    data-x="concept-request-client">request client</span>.</p></dd>
+
+   <dt>A <dfn data-x="concept-settings-object-cross-origin-isolated-capability" data-export=""
+   data-dfn-for="environment settings object">cross-origin isolated capability</dfn></dt>
+
+   <dd><p>A boolean representing whether scripts that use this <span>environment settings
+   object</span> are allowed to use APIs that require cross-origin isolation.</p></dd>
   </dl>
 
   <p>An <span>environment settings object</span> also has an <dfn>outstanding rejected promises
@@ -92559,12 +92577,11 @@ interface mixin <dfn>WindowOrWorkerGlobalScope</dfn> {
    <dd><p>Returns the global object's <span>origin</span>, serialized as string.</p></dd>
 
    <dt>self . <code subdfn data-x="dom-crossOriginIsolated">crossOriginIsolated</code></dt>
-   <dd><p>Returns whether the <span>surrounding agent</span>'s <span>agent cluster</span> is
-   <span>cross-origin isolated</span>. This depends on the `<code
-   data-x="">Cross-Origin-Opener-Policy</code>` and `<code
-   data-x="">Cross-Origin-Embedder-Policy</code>` HTTP response headers and determines whether
-   <code>SharedArrayBuffer</code> can be used with <code data-x="">postMessage()</code>
-   APIs.</p></dd>
+   <dd><p>Returns whether scripts running in this global are allowed to use APIs that require
+   cross-origin isolation. This depends on the `<code data-x="">Cross-Origin-Opener-Policy</code>`
+   and `<code data-x="">Cross-Origin-Embedder-Policy</code>` HTTP response headers and the
+   "<code data-x="cross-origin-isolated-feature">cross-origin-isolated</code>"
+   feature.</p></dd>
   </dl>
 
   <div class="example">
@@ -92596,8 +92613,9 @@ document.body.appendChild(frame)</code></pre>
   origin">serialized</span>.</p>
 
   <p>The <dfn data-x="dom-crossOriginIsolated"><code>crossOriginIsolated</code></dfn> getter steps
-  are to return the <span>surrounding agent</span>'s <span>agent cluster</span>'s <span>cross-origin
-  isolated</span>.</p>
+  are to return <span>this</span>'s <span>relevant settings object</span>'s <span
+  data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin isolated
+  capability</span>.</p>
 
   </div>
 
@@ -99028,6 +99046,11 @@ interface <dfn>WorkerGlobalScope</dfn> : <span>EventTarget</span> {
   data-dfn-for="WorkerGlobalScope" data-x="concept-WorkerGlobalScope-module-map">module map</dfn>.
   It is a <span>module map</span>, initially empty.</p>
 
+  <p>A <code>WorkerGlobalScope</code> object has an associated <dfn data-export=""
+  data-dfn-for="WorkerGlobalScope"
+  data-x="concept-WorkerGlobalScope-cross-origin-isolated-capability">cross-origin isolated
+  capability</dfn> boolean. It is initially false.</p>
+
   </div>
 
   <dl class="domintro">
@@ -99486,6 +99509,33 @@ interface <dfn>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope</span> {
      and <var>response</var> is false, then set <var>response</var> to a <span>network
      error</span>.</p></li>
 
+     <li><p>Set <var>worker global scope</var>'s <span
+     data-x="concept-WorkerGlobalScope-cross-origin-isolated-capability">cross-origin isolated
+     capability</span> to <var>agent</var>'s <span>agent cluster</span>'s <span>cross-origin
+     isolated</span>.</p></li>
+
+     <li><p>If <var>is shared</var> is false and <var>owner</var>'s <span
+     data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin isolated
+     capability</span> is false, then set <var>worker global scope</var>'s <span
+     data-x="concept-WorkerGlobalScope-cross-origin-isolated-capability">cross-origin isolated
+     capability</span> to false.</p></li>
+
+     <li>
+      <p>If <var>is shared</var> is false and <var>response</var>'s
+      <span data-x="concept-response-url">url</span>'s <span
+      data-x="concept-url-scheme">scheme</span> is "<code data-x="">data</code>", then set
+      <var>worker global scope</var>'s <span
+      data-x="concept-WorkerGlobalScope-cross-origin-isolated-capability">cross-origin isolated
+      capability</span> to false.</p>
+
+      <p class="note">This is a conservative default for now, while we figure out how workers in
+      general, and <code data-x="data protocol">data:</code> URL workers in particular (which are
+      cross-origin from their owner), will be treated in the context of permissions policies. See
+      <a
+      href="https://github.com/w3c/webappsec-permissions-policy/issues/207">w3c/webappsec-permissions-policy
+      issue #207</a> for more details.</p>
+     </li>
+
      <li><p>Execute the <span>Initialize a <code data-x="">global object</code>'s CSP list</span>
      algorithm on <var>worker global scope</var> and <var>response</var>. <ref spec="CSP"></p></li>
 
@@ -99778,6 +99828,12 @@ interface <dfn>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope</span> {
       <p>Return <var>worker global scope</var>'s <span
       data-x="concept-WorkerGlobalScope-embedder-policy">embedder policy</span>.</p>
      </dd>
+
+     <dt>The <span data-x="concept-settings-object-cross-origin-isolated-capability">cross-origin
+     isolated capability</span></dt>
+     <dd><p>Return <var>worker global scope</var>'s <span
+     data-x="concept-WorkerGlobalScope-cross-origin-isolated-capability">cross-origin isolated
+     capability</span>.</p></dd>
     </dl>
    </li>