Document-Isolation-Policy

This behaves the same as "same-origin", with the addition that it sets the (new) top-level browsing context's group's agent cluster cross-origin isolation key's cross-origin isolation mode to one of "logical" or "concrete".

4. If navigationCOOP's value is "same-origin-plus-COEP", then:

   1. Let crossOriginIsolationMode be either "logical" or "concrete". The choice of which is implementation-defined.

   2. Set newBrowsingContext's group's agent cluster cross-origin isolation key to {coopEnforcementResult's origin, crossOriginIsolationMode}.

A document isolation policy value is one of three strings that controls agent cluster allocation and the fetching of cross-origin resources without explicit permission from resource owners.

• "none": This is the default value. When this value is used, cross-origin resources can be fetched without giving explicit permission through the CORS protocol or the 'Cross-Origin-Resource-Policy' header. The document is assigned to a non cross-origin isolated agent cluster.

• "isolate-and-require-corp": When this value is used, fetching cross-origin resources requires the server’s explicit permission through the CORS protocol or the 'Cross-Origin-Resource-Policy' header. The document is also assigned to a cross-origin isolated agent cluster.

• "isolate-and-credentialless": When this value is used, fetching cross-origin no-CORS resources omits credentials. In exchange, an explicit 'Cross-Origin-Resource-Policy' header is not required. Other requests sent with credentials require the server’s explicit permission through the CORS protocol or the 'Cross-Origin-Resource-Policy' header. The document is also assigned to a cross-origin isolated agent cluster.

A document isolation policy consists of:

• A value, which is a document isolation policy value, initially "none.

• A reporting endpoint, initially the empty string.

• A report-only value, which is a document isolation policy value, initially "none.

• A report-only reporting endpoint, initially the empty string.

To obtain a cross-origin agent cluster isolation key given null or a document isolation policy documentIsolationPolicy and an origin origin:

1. If documentIsolationPolicy is null, return null.

2. If documentIsolationPolicy's value is "none", then return null.

3. Let crossOriginIsolationMode be either "logical" or "concrete". The choice of which is implementation-defined.

4. Let crossOriginIsolationKey be a new agent cluster cross-origin isolation key.

5. Set crossOriginIsolationKey to {origin, crossOriginIsolationMode}.

6. Return crossOriginIsolationKey.

2.1.2.1. The headers

The 'Document-Isolation-Policy' and 'Document-Isolation-Policy-Report-Only' HTTP response headers allow a server to declare a document isolation policy for a document. These headers are structured headers whose values must be token.

The valid token values are the document isolation policy values. The token may also have attached parameters; of these, the "report-to" parameter can have a valid URL string identifying an appropriate reporting endpoint.

To obtain a document isolation policy given a response response and an environment environment:

1. Let policy be a new document isolation policy.

2. If environment is a non-secure context, then return policy.

3. Let parsedItem be the result of getting a structured field value with Document-Isolation-Policy and "item" from response's header list.

4. If parsedItem is non-null:

   1. If parsedItem[0] is "isolate-and-require-corp" or "isolate-and-credentialless", set policy's value to parsedItem[0].

   2. If parsedItem[1]["report-to"] exists, then set policy's reporting endpoint to parsedItem[1]["report-to"].

5. Set parsedItem be the result of getting a structured field value with Document-Isolation-Policyi-Report-Only and "item" from response's header list.

6. If parsedItem is non-null:

   1. If parsedItem[0] is "isolate-and-require-corp" or "isolate-and-credentialless", set policy's report-only value to parsedItem[0].

   2. If parsedItem[1]["report-to"] exists, then set policy's report-only reporting endpoint to parsedItem[1]["report-to"].

7. Return policy.

• A document isolation policy, which is a document isolation policy. It is initially a new document isolation policy.

• An agent cluster cross-origin isolation key, which is null or an agent cluster cross-origin isolation key. It is initially null. This agent cluster cross-origin isolation key is based on the document isolation policy of the document. It overrides the agent cluster cross-origin isolation key stored in the browsing context group.

5. Set clone's document isolation policy to a copy of policyContainer's document isolation policy.

6. Set clone's agent cluster cross-origin isolation key to a copy of policyContainer's agent cluster cross-origin isolation key.

6. If environment is non-null, then set result's document isolation policy to the result of obatining a document isolation policy given response and environment.

7. Set result's agent cluster cross-origin isolation key to the result of obtaining a cross-origin isolation key given result's document isolation policy and response's URL's origin.

Add a step 5 to the create a new browsing context and document algorithm:

5. Let creatorAgentClusterCOIKey be null.

5.4 Set creatorAgentClusterCOIKey to creator's policy container's agent cluster cross-origin isolation key.

9. Let agent be the result of obtaining a similar-origin window agent given origin, group, false, and creatorAgentClusterCOIKey.

A browsing context group has a cross-origin isolation mode, which is a cross-origin isolation mode. It is initially "none".

A browsing context group has an agent cluster cross-origin isolation key, which is null or an agent cluster cross-origin isolation key . It is initially null. It is set by Cross-Origin-Opener-Policy, and is the default agent cluster cross-origin isolation key for documents inside the browsing context group. However, it can be overriden by the policy container’s agent cluster cross-origin isolation key when a document has a document isolation policy.

Let agent be the result of obtaining a similar-origin window agent given navigationParams's origin, browsingContext's group, requestsOAC, and navigationParams's policy container's agent cluster cross-origin isolation key.

An agent cluster cross-origin isolation key is a tuple of an origin and a cross-origin isolation mode.

An agent cluster key is either a site, or a tuple origin, or a tuple of a tuple origin and an agent cluster cross-origin isolation key.

To obtain a similar-origin window agent, given an origin origin, a browsing context group group, a boolean requestsOAC, and null or an agent cluster cross-origin isolation key agentClusterCOIKey, run these steps:

3. If agentClusterCOIKey is not null, then set key to {origin, agentClusterCOIKey}.

4. Otherwise, if group’s agent cluster cross-origin isolation key is not null, then set key to {origin, group’s [=bcg-coi=key|agent cluster cross-origin isolation key=]}.

6.2 If key has an agent cluster cross-origin isolation key, set agentCluster's cross-origin isolation mode to key's agent cluster cross-origin isolation key's cross-origin isolation mode.

6.3 Set agentCluster's is origin-keyed to false if key equals site; otherwise true.

To check if Document-Isolation-Policy allows credentials, given a request request, run these steps:

1. If request’s mode is not "no-cors", then return true.

2. If request’s client is null, then return true.

3. If request’s client’s policy container’s document-isolation-policy’s value is not "isolate-and-credentialless", then return true.

4. If request’s origin is same origin with request’s current URL’s origin and request does not have a redirect-tainted origin, then return true.

5. Return false.

A cross-origin resource policy internal check result is one of five values:

• "allowed"

• "blocked"

• "blocked-by-coep"

• "blocked-by-dip"

• "blocked-by-coep-and-dip"

4. Let documentIsolationPolicy be settingsObject’s policy container’s document-isolation-policy.

5. Let reportOnlyCheck be the the result of the cross-origin resource policy internal check with origin, embedderPolicy’s report only value, documentIsolationPolicy’s report only value, response, and forNavigation.

6. If reportOnlyCheck is "blocked-by-coep" or "blocked-by-coep-and-dip", then queue a cross-origin embedder policy CORP violation report with response, settingsObject, destination, and true.

7. If reportOnlyCheck is "blocked-by-dip" or "blocked-by-coep-and-dip", then queue a document isolation policy CORP violation report with response, settingsObject, destination, and true.

8. Let check be the the result of the cross-origin resource policy internal check with origin, embedderPolicy’s value, documentIsolationPolicy’s report value, response, and forNavigation.

9. If check is "allowed", then return allowed.

10. If check is "blocked-by-coep" or "blocked-by-coep-and-dip", then queue a cross-origin embedder policy CORP violation report with response, settingsObject, destination, and false.

11. If reportOnlyCheck is "blocked-by-dip" or "blocked-by-coep-and-dip", then queue a document isolation policy CORP violation report with response, settingsObject, destination, and false.

12. Return blocked.

To perform a cross-origin resource policy internal check, given an origin origin, an embedder policy value embedderPolicyValue, a document isolation policy value documentIsolationPolicyValue, a response response, and a boolean forNavigation, run these steps:

4. Let checkResult be a cross-origin resource policy internal check result with value "blocked".

5. If policy is null, then:

   1. Let upgradeDueToCOEP be false.

   2. Let upgradeDueToDIP be false.

   3. Switch on embedderPolicyValue:

      • "unsafe-none"

        1. Do nothing.

      • "credentialless"

        1. Set upgradeDueToCOEP to true if:

           • response’s request-includes-credentials is true, or

           • forNavigation is true.

      • "require-corp"

        1. Set upgradeDueToCOEP to true.

   4. Switch on documentIsolationPolicyValue:

      • "dip-none"

        1. Do nothing.

      • "isolate-and-credentialless"

        1. Set upgradeDueToDIP to true if response’s request-includes-credentials is true.

      • "isolate-and-require-corp"

        1. Set upgradeDueToDIP to true.

   5. If upgradeDueToCOEP or upgradeDueToDIP is true, set policy to 'same-origin'.

   6. If upgradeDueToCOEP is true, then:

      1. If upgradeDueToDIP is true, then set checkResult to "blocked-by-coep-and-dip".

      2. Otherwise, set checkResult to "blocked-by-coep".

   7. Otherwise, if upgradeDueToDIP is true, then set checkResult to "blocked-by-dip".

6. Switch on policy:

   • null

   • cross-origin

     1. Set checkResult to "allowed".

   • same-origin

     1. If origin is same origin with response’s URL’s origin, then set checkResult to "allowed".

   • same-site

     1. If all of the following are true

        • origin is schemelessly same site with response’s URL’s origin

        • origin’s scheme is "https" or response’s URL’s scheme is not "https"

     2. then set checkResult to "allowed".

7. Return checkResult.

To queue a document isolation policy CORP violation report, given a response response, an environment settings object settingsObject, a string destination, and a boolean reportOnly, run these steps:

1. Let endpoint be settingsObject’s policy container’s document-isolation-policy’s report only reporting endpoint if reportOnly is true and settingsObject’s policy container’s document-isolation-policy’s reporting endpoint otherwise.

2. Let serializedURL be the result of serializing a response URL for reporting with response.

3. Let disposition be "reporting" if reportOnly is true; otherwise "enforce".

4. Let body be a new object containing the following properties:

   "type"	"corp"
   "blockedURL"	serializedURL
   "destination"	destination
   "disposition"	disposition

5. Generate and queue a report for settingsObject’s global object given the "dip", endpoint, and body.

5. If Document-Isolation-Policy allows credentials with request returns false, then set includeCredentials to false.