It is up to the definition of individual platform objects to determine what data is serialized and deserialized by these steps. Typically the steps are very symmetric.
-The [Serializable] extended attribute must take no
- arguments, and must only appear on an interface. It must not appear more than once on an
- interface.
The [Serializable] extended attribute must take one of: no
+ arguments, the identifier SameOrigin, the
+ identifier SameAgentCluster, or an
+ identifier list containing both SameOrigin and SameAgentCluster. It must only appear on an
+ interface. It must not appear more than once on an interface.
The SameOrigin identifier prevents
+ deserialization in cross-origin realms. However, it does not prevent usage in cross-origin realms
+ that can be reached through document.domain. Similarly,
+ the SameAgentCluster identifier prevents
+ deserialization in realms belonging to other agent clusters. This does prevent usage in such
+ realms as it is the only way to reach them.
As discussed in issue
+ #4920, new features are strongly encouraged to use either SameOrigin or SameOrigin and
+ SameAgentCluster together. A future
+ refactoring will likely tightly couple the latter.
For a given platform object, only the object's primary interface is considered during the (de)serialization process. Thus, if inheritance is involved in defining the @@ -8306,8 +8322,8 @@ interface DOMStringList {
Set serialized to { [[Type]]: "SharedArrayBuffer", [[ArrayBufferData]]: value.[[ArrayBufferData]], [[ArrayBufferByteLength]]: size, - [[AgentCluster]]: the current Realm Record's corresponding agent - cluster }.
Set serialized to { [[Type]]: typeString }.
If value's interface's [Serializable]
+ extended attribute contains the SameOrigin
+ identifier, then set serialized.[[EnforceOrigin]] to the current settings
+ object's origin.
If value's interface's [Serializable]
+ extended attribute contains the SameAgentCluster identifier, then set
+ serialized.[[EnforceAgentCluster]] to the surrounding agent's
+ agent cluster.
Set deep to true.
Let value be an uninitialized value.
If serialized has an [[EnforceOrigin]] field and its value is not same
+ origin with targetRealm's settings
+ object's origin, then throw a
+ "DataCloneError" DOMException.
If serialized has an [[EnforceAgentCluster]] field and its value is not
+ targetRealm's corresponding agent cluster, then throw a
+ "DataCloneError" DOMException.
If serialized.[[Type]] is "primitive", then set value to serialized.[[Value]].
@@ -8751,20 +8787,11 @@ o.myself = o; serialized.[[OriginalSource]], and whose [[OriginalFlags]] internal slot value is serialized.[[OriginalFlags]].Otherwise, if serialized.[[Type]] is "SharedArrayBuffer", then:
- -If targetRealm's corresponding agent cluster is not
- serialized.[[AgentCluster]], then then throw a
- "DataCloneError" DOMException.
Otherwise, set value to a new SharedArrayBuffer object in - targetRealm whose [[ArrayBufferData]] internal slot value is - serialized.[[ArrayBufferData]] and whose [[ArrayBufferByteLength]] internal slot - value is serialized.[[ArrayBufferByteLength]].
Otherwise, if serialized.[[Type]] is "SharedArrayBuffer", then set + value to a new SharedArrayBuffer object in targetRealm whose + [[ArrayBufferData]] internal slot value is serialized.[[ArrayBufferData]], and whose + [[ArrayBufferByteLength]] internal slot value is + serialized.[[ArrayBufferByteLength]].
Otherwise, if serialized.[[Type]] is "ArrayBuffer", then set value to a