Can you flesh out this report with a bit more detail? E.g.  in #2, what do you mean when you say "Failed", and what do you "Observe" in step #4 and what do you expect to observe?

When I run this repro, I see "User 1" from the "Attack" tab, then "User 1" from the "Vuln" tab, then "User 2, connected to others" from the second "Vuln" tab.

Sorry, I think my explanation was unclear. 

In step #2 you can see "Hello, User 1" from the "Attack" tab (expected behavior)

In step #4 you can see "Hello, User 2! Successfully connected with other users!" (unexpected behavior)

I was expecting to get the same result as in step #2.

The problem here is a shared worker created from a data URL in one tab can be shared by another tab with a different origin.

In step 4, isn't the worker in tab 3 shared with the worker in tab 2 (which is same origin)?

(Notably, this used to behave differently and data:-sourced SharedWorkers were incorrectly shared across origins. That was fixed in  Issue 787103 ).

Yes, in step #4, the worker in tab 3 shared with worker in tab 2.

Tab 2 and Tab 3 are same-origin to one another. Where's the SOP violation?

Hmm... now I can understand... thanks for posting comment #4.

Thank you so much for the comments and your feedback :-)

Closing this as WontFix as it seems this is not actually an SOP violation. Feel free to comment/reopen if there are more details I'm missing.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot