COEP and cachestorage

[yutakahirano]

@mikewest @annevk @arturjanc

(Sorry if this has already been discussed)

I saw https://mikewest.github.io/corpp/#issue-524333ea. The issue is not specific to service worker I think, because you can:

1. Fetch a request which results in an opaque (and no-corp) response in page A without COEP,
2. Store the response to the cachestorage, and
3. Get the response from the cachestorage in page B with COEP.

We may have a similar issue with postMessage and ImageBitmap which is transferable.

[annevk]

For opaque responses our idea was that while you can have a reference to them, the underlying body would never enter the COEP process. The only way to get the body into that process is via a service worker at which point it would be blocked due to it lacking the CORP header.

ImageBitmap however was not considered. Thanks for raising it! We'd need to block that from entering the COEP process if its origin-clean flag is not set. Fortunately with the messageerror setup we added a while back that is rather easy specification-wise. (I added a commit for this to #4734.)

I think OffscreenCanvas can not be used in a similar way, right? (It's also transferable.)

Firefox bugs to track these:

• https://bugzilla.mozilla.org/show_bug.cgi?id=1565199
• https://bugzilla.mozilla.org/show_bug.cgi?id=1565205

cc @mystor @asutherland

[annevk]

It's a little bit unclear to me how OffscreenCanvas's placeholder canvas element work. I think pixels can only be pushed to it and not pulled from it in which case there's no problem there (as OffscreenCanvass own bitmap is always cleared when transferring). @junov is that correct?

[domenic]

@junov has moved on from canvas; I think @fserb is the best contact these days.

[fserb]

I don't think the bitmap get's cleared. But that's besides the point. An OffscreenCanvas can't be transferred if it already has a rendering context. I.e.:

c = canvas.transferControlToOffscreen()   // or new OffscreenCanvas(10, 10);

c.getContext("2d")
worker.postMessage(c, [c]);

will fail with DOMException. Which means that the OffscreenCanvas being transferred is always, as far as can I see, empty. That's also true for transferControlToOffscreen, which can only be called on a context-less Canvas.

I don't understand COEP enough, but does this address the issue that @annevk brough up?

[annevk]

@fserb step 4 of OffscreenCanvas's transfer steps says "Unset value's bitmap." What but clearing could that mean?

But yeah, I missed that it's highly dependent on state as well and that does seem to indicate that it cannot be used to smuggle bits. (We should probably clarify whether this weak reference is supposed to work across agent clusters, but that's a separate issue.)

[yutakahirano]

Fixed by #5114.