Introduce SameOrigin and SameAgentCluster for [Serializable]

source

@@ -8104,9 +8104,25 @@ interface <dfn>DOMStringList</dfn> {
   <p>It is up to the definition of individual platform objects to determine what data is serialized
   and deserialized by these steps. Typically the steps are very symmetric.</p>
 
-  <p>The <code data-x="Serializable">[Serializable]</code> extended attribute must take no
-  arguments, and must only appear on an interface. It must not appear more than once on an
-  interface.</p>
+  <p>The <code data-x="Serializable">[Serializable]</code> extended attribute must take one of: no
+  arguments, the identifier <dfn data-x="Serializable SameOrigin"><code>SameOrigin</code></dfn>, the
+  identifier <dfn data-x="Serializable SameAgentCluster"><code>SameAgentCluster</code></dfn>, or an
+  identifier list containing both <code data-x="Serializable SameOrigin">SameOrigin</code> and <code
+  data-x="Serializable SameAgentCluster">SameAgentCluster</code>. It must only appear on an
+  interface. It must not appear more than once on an interface.</p>
+
+  <p class="note">The <code data-x="Serializable SameOrigin">SameOrigin</code> identifier prevents
+  deserialization in cross-origin realms. However, it does not prevent usage in cross-origin realms
+  that can be reached through <code data-x="dom-document-domain">document.domain</code>. Similarly,
+  the <code data-x="Serializable SameAgentCluster">SameAgentCluster</code> identifier prevents
+  deserialization in realms belonging to other agent clusters. This does prevent usage in such
+  realms as it is the only way to reach them.</p>
+
+  <p class="XXX">As discussed in <a href="https://github.com/whatwg/html/issues/4920">issue
+  #4920</a>, new features are strongly encouraged to use either <code data-x="Serializable
+  SameOrigin">SameOrigin</code> or <code data-x="Serializable SameOrigin">SameOrigin</code> and
+  <code data-x="Serializable SameAgentCluster">SameAgentCluster</code> together. A future
+  refactoring will likely tightly couple the latter.</p>
 
   <p>For a given <span>platform object</span>, only the object's <span>primary interface</span> is
   considered during the (de)serialization process. Thus, if inheritance is involved in defining the
@@ -8306,8 +8322,8 @@ interface <dfn>DOMStringList</dfn> {
 
        <li><p>Set <var>serialized</var> to { [[Type]]: "SharedArrayBuffer", [[ArrayBufferData]]:
        <var>value</var>.[[ArrayBufferData]], [[ArrayBufferByteLength]]: <var>size</var>,
-       [[AgentCluster]]: the <span>current Realm Record</span>'s corresponding <span>agent
-       cluster</span> }.</p></li>
+       [[EnforceAgentCluster]]: the <span>surrounding agent</span>'s <span>agent cluster</span>
+       }.</p></li>
       </ol>
      </li>
 
@@ -8470,6 +8486,17 @@ interface <dfn>DOMStringList</dfn> {
 
      <li><p>Set <var>serialized</var> to { [[Type]]: <var>typeString</var> }.</p></li>
 
+     <li><p>If <var>value</var>'s interface's <code data-x="Serializable">[Serializable]</code>
+     extended attribute contains the <code data-x="Serializable SameOrigin">SameOrigin</code>
+     identifier, then set <var>serialized</var>.[[EnforceOrigin]] to the <span>current settings
+     object</span>'s <span data-x="concept-settings-object-origin">origin</span>.</p></li>
+
+     <li><p>If <var>value</var>'s interface's <code data-x="Serializable">[Serializable]</code>
+     extended attribute contains the <code data-x="Serializable
+     SameAgentCluster">SameAgentCluster</code> identifier, then set
+     <var>serialized</var>.[[EnforceAgentCluster]] to the <span>surrounding agent</span>'s
+     <span>agent cluster</span>.</p></li>
+
      <li><p>Set <var>deep</var> to true.</p></li>
     </ol>
    </li>
@@ -8722,6 +8749,15 @@ o.myself = o;</code></pre>
 
    <li><p>Let <var>value</var> be an uninitialized value.</p></li>
 
+   <li><p>If <var>serialized</var> has an [[EnforceOrigin]] field and its value is not <span>same
+   origin</span> with <var>targetRealm</var>'s <span data-x="concept-realm-settings-object">settings
+   object</span>'s <span data-x="concept-settings-object-origin">origin</span>, then throw a
+   <span>"<code>DataCloneError</code>"</span> <code>DOMException</code>.</p></li>
+
+   <li><p>If <var>serialized</var> has an [[EnforceAgentCluster]] field and its value is not
+   <var>targetRealm</var>'s corresponding <span>agent cluster</span>, then throw a
+   <span>"<code>DataCloneError</code>"</span> <code>DOMException</code>.</p></li>
+
    <li><p>If <var>serialized</var>.[[Type]] is "primitive", then set <var>value</var> to
    <var>serialized</var>.[[Value]].</p>
 
@@ -8751,20 +8787,11 @@ o.myself = o;</code></pre>
    <var>serialized</var>.[[OriginalSource]], and whose [[OriginalFlags]] internal slot value is
    <var>serialized</var>.[[OriginalFlags]].</p></li>
 
-   <li>
-    <p>Otherwise, if <var>serialized</var>.[[Type]] is "SharedArrayBuffer", then:</p>
-
-    <ol>
-     <li><p>If <var>targetRealm</var>'s corresponding <span>agent cluster</span> is not
-     <var>serialized</var>.[[AgentCluster]], then then throw a
-     <span>"<code>DataCloneError</code>"</span> <code>DOMException</code>.</p></li>
-
-     <li><p>Otherwise, set <var>value</var> to a new SharedArrayBuffer object in
-     <var>targetRealm</var> whose [[ArrayBufferData]] internal slot value is
-     <var>serialized</var>.[[ArrayBufferData]] and whose [[ArrayBufferByteLength]] internal slot
-     value is <var>serialized</var>.[[ArrayBufferByteLength]].</p></li>
-    </ol>
-   </li>
+   <li><p>Otherwise, if <var>serialized</var>.[[Type]] is "SharedArrayBuffer", then set
+   <var>value</var> to a new SharedArrayBuffer object in <var>targetRealm</var> whose
+   [[ArrayBufferData]] internal slot value is <var>serialized</var>.[[ArrayBufferData]], and whose
+   [[ArrayBufferByteLength]] internal slot value is
+   <var>serialized</var>.[[ArrayBufferByteLength]].</p></li>
 
    <li>
     <p>Otherwise, if <var>serialized</var>.[[Type]] is "ArrayBuffer", then set <var>value</var> to a