Consider restricting SharedArrayBuffer to same-origin usage

[annevk]

Currently SharedArrayBuffer is limited to an agent cluster, but can be cross-origin (though same-site and same-scheme) within that agent cluster. We should consider restricting it further so it cannot be used cross-site, so that SharedArrayBuffer does not become the new document.domain.

cc @whatwg/security

[wanderview]

@dtapuska I thought you told me we did not support cross-document SharedArrayBuffer until recently (m78, etc). Is that true? Of course, @domenic tells me the WPT tests for this pass in M76. I'm just wondering if we can assume low usage due to lack of implementation.

[dtapuska]

Because of two different code paths postMessage (MessageChannel and Window are different). It was supported on Window but not on MessageChannel I believe. Check out this WPT test link

[annevk]

This also affects the Wasm Web API: https://webassembly.github.io/spec/web-api/#serialization.

cc @littledan

[annevk]

I think it would be ideal to fix this as part of #4732 as doing this at a later stage makes rolling this out a much larger compatibility concern. Also, the sooner Chrome can roll this out the better. Is there someone investigating this? (Remember that if SharedArrayBuffer/WebAssembly.Module remains same-site deprecating/removing document.domain does not help with the goal of origin-per-process.)

[domenic]

I think we could do it independently (and earlier). I take it Mozilla is interested; I suspect Chrome is but it'd be best to get some confirmation. @dtapuska, can you take the lead here?

[annevk]

We would implement this to effectively make less things depend on PSL, yes. (If document.domain is used this does not shrink the boundary, but it at least would require that to be used.)

[dtapuska]

What is the timeline? I can add a use counter and see how many SharedArrayBuffers get transfered in SameSite vs SameOrigin cases.

[annevk]

That'd be great. Not sure about a timeline, but the longer we leave this the way it is the more likely it is we cannot change it.

[dtapuska]

Hmm, this is a little more complicated. Chrome doesn't serialize the origin for message ports because origin is only used in CrossDocumentMessaging