Current algorithm might be GC dependent

[domenic]

The current algorithm for choosing an agent cluster key contains the following step:

If group's agent cluster map[site] exists, and group's agent cluster map[site] contains any agents which contain any realms whose settings object's origin are same-origin with origin, then return site.

In an offline conversation @annevk pointed out that this might be GC dependent. In particular, I believe the scenario is something like:

• https://example.com/ iframes https://example.org/ which does not request OI, and so https://example.org/ is site-keyed.
• JS code on https://example.com/ saves a reference to the iframe window, e.g. window.savedFrame = frames[0].
• https://example.com/ removes the iframe from the DOM.
• https://example.com/ inserts a new iframe, iframe2, for https://example.org/, but the server has been updated so this time it requests OI. However, the BCG's agent cluster map[Site{https://example.org}] still contains the realm corresponding to window.savedFrame, and that is same-origin with https://example.org/, so this means that the OI request is denied.
  • This itself might be fairly bad. Just holding a reference should not prevent origin isolation, probably.
• https://example.com/ has JS code which does window.savedFrame = null.
• https://example.com/ removes iframe2 from the DOM.
• https://example.com/ inserts a new iframe, iframe3, for https://example.org/. Now, whether the BCG's agent cluster map[Site{https://example.org}] still contains any realms depends on whether the garbage collector has run and collected the Window object that used to be stored in window.savedFrame, so it's unclear whether the OI request will be honored or not.
  • This is not great.

One potential fix here is to only count realms whose documents are currently active. However I think this breaks when bfcache is involved; it would lead to scenarios where it appears fine to origin isolate, but then the user presses the back button and now you have a two same-origin iframes on the page which are in different agent clusters.

Hmm...

[domenic]

@wjmaclean has come up with a clever solution which is that we can use the information stored in the session history. I'll try to write this up in spec-ese soon. Concurrently, he's working on incorporating it into our Chromium prototype.