This repository has been archived by the owner on Oct 16, 2020. It is now read-only.
Have DedicatedWorker use COEP in response headers #13
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Stop inheriting owner's policy, and use response's policy instead. Also add a check to keep the invariance that when owner's COEP is "require-corp" then the dedicated worker's COEP must also be "require-corp". Fixes whatwg/html#4924.
|
@yutakahirano - can you join the WICG to appease the IPR bots? |
|
Thanks, I've just requested. |
|
Adding tests as https://chromium-review.googlesource.com/c/chromium/src/+/2121936. |
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Mar 30, 2020
[1] is changing how COEP is set to (dedicated) worker top-level scripts. Before the change it inherited the parent policy. After the change it gets the policy from the HTTP headers in the response, but the loading is blocked when the parent has COEP: require-corp but the child doesn't have COEP: require-corp. As described in [2], this can be solved by a project called PlzDedicatedWorker, but it will take time to ship it. As a short-term fix, this implements the blocking part. No reporting is implemented. This fix is important because this is a breaking change. We would like to land this by M83. 1: WICG/cross-origin-embedder-policy#13 2: https://docs.google.com/document/d/1eB34zYLuQHshN_Tt8BbLSehHyvxqWupVdB09CCbn7g4/edit Bug: 1064920 Change-Id: I55fa951f18692d642c747cff168d8239de69efb6
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Mar 30, 2020
[1] is changing how COEP is set to (dedicated) worker top-level scripts. Before the change it inherited the parent policy. After the change it gets the policy from the HTTP headers in the response, but the loading is blocked when the parent has COEP: require-corp but the child doesn't have COEP: require-corp. As described in [2], this can be solved by a project called PlzDedicatedWorker, but it will take time to ship it. As a short-term fix, this implements the blocking part. No reporting is implemented. This fix is important because this is a breaking change. We would like to land this by M83. 1: WICG/cross-origin-embedder-policy#13 2: https://docs.google.com/document/d/1eB34zYLuQHshN_Tt8BbLSehHyvxqWupVdB09CCbn7g4/edit Bug: 1064920 Change-Id: I55fa951f18692d642c747cff168d8239de69efb6
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Mar 30, 2020
[1] is changing how COEP is set to (dedicated) worker top-level scripts. Before the change it inherited the parent policy. After the change it gets the policy from the HTTP headers in the response, but the loading is blocked when the parent has COEP: require-corp but the child doesn't have COEP: require-corp. As described in [2], this can be solved by a project called PlzDedicatedWorker, but it will take time to ship it. As a short-term fix, this implements the blocking part. No reporting is implemented. This fix is important because this is a breaking change. We would like to land this by M83. 1: WICG/cross-origin-embedder-policy#13 2: https://docs.google.com/document/d/1eB34zYLuQHshN_Tt8BbLSehHyvxqWupVdB09CCbn7g4/edit Bug: 1064920 Change-Id: I55fa951f18692d642c747cff168d8239de69efb6
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Mar 31, 2020
[1] is changing how COEP is set to (dedicated) worker top-level scripts. Before the change it inherited the parent policy. After the change it gets the policy from the HTTP headers in the response, but the loading is blocked when the parent has COEP: require-corp but the child doesn't have COEP: require-corp. As described in [2], this can be solved by a project called PlzDedicatedWorker, but it will take time to ship it. As a short-term fix, this implements the blocking part. No reporting is implemented. This fix is important because this is a breaking change. We would like to land this by M83. 1: WICG/cross-origin-embedder-policy#13 2: https://docs.google.com/document/d/1eB34zYLuQHshN_Tt8BbLSehHyvxqWupVdB09CCbn7g4/edit Bug: 1064920 Change-Id: I55fa951f18692d642c747cff168d8239de69efb6
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Mar 31, 2020
[1] is changing how COEP is set to (dedicated) worker top-level scripts. Before the change it inherited the parent policy. After the change it gets the policy from the HTTP headers in the response, but the loading is blocked when the parent has COEP: require-corp but the child doesn't have COEP: require-corp. As described in [2], this can be solved by a project called PlzDedicatedWorker, but it will take time to ship it. As a short-term fix, this implements the blocking part. No reporting is implemented. This fix is important because this is a breaking change. We would like to land this by M83. 1: WICG/cross-origin-embedder-policy#13 2: https://docs.google.com/document/d/1eB34zYLuQHshN_Tt8BbLSehHyvxqWupVdB09CCbn7g4/edit Bug: 1064920 Change-Id: I55fa951f18692d642c747cff168d8239de69efb6
|
Hi! I'll try to make time to look at this today, but I suspect I'm going to need until tomorrow to give you actionable feedback. Sorry! |
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Mar 31, 2020
[1] is changing how COEP is set to (dedicated) worker top-level scripts. Before the change it inherited the parent policy. After the change it gets the policy from the HTTP headers in the response, but the loading is blocked when the parent has COEP: require-corp but the child doesn't have COEP: require-corp. As described in [2], this can be solved by a project called PlzDedicatedWorker, but it will take time to ship it. As a short-term fix, this implements the blocking part. No reporting is implemented. This fix is important because this is a breaking change. We would like to land this by M83. 1: WICG/cross-origin-embedder-policy#13 2: https://docs.google.com/document/d/1eB34zYLuQHshN_Tt8BbLSehHyvxqWupVdB09CCbn7g4/edit Bug: 1064920 Change-Id: I55fa951f18692d642c747cff168d8239de69efb6
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Apr 1, 2020
[1] is changing how COEP is set to (dedicated) worker top-level scripts. Before the change it inherited the parent policy. After the change it gets the policy from the HTTP headers in the response, but the loading is blocked when the parent has COEP: require-corp but the child doesn't have COEP: require-corp. As described in [2], this can be solved by a project called PlzDedicatedWorker, but it will take time to ship it. As a short-term fix, this implements the blocking part. No reporting is implemented. This fix is important because this is a breaking change. We would like to land this by M83. 1: WICG/cross-origin-embedder-policy#13 2: https://docs.google.com/document/d/1eB34zYLuQHshN_Tt8BbLSehHyvxqWupVdB09CCbn7g4/edit Bug: 1064920 Change-Id: I55fa951f18692d642c747cff168d8239de69efb6
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Apr 2, 2020
[1] is changing how COEP is set to (dedicated) worker top-level scripts. Before the change it inherited the parent policy. After the change it gets the policy from the HTTP headers in the response, but the loading is blocked when the parent has COEP: require-corp but the child doesn't have COEP: require-corp. As described in [2], this can be solved by a project called PlzDedicatedWorker, but it will take time to ship it. As a short-term fix, this implements the blocking part. No reporting is implemented. This fix is important because this is a breaking change. We would like to land this by M83. 1: WICG/cross-origin-embedder-policy#13 2: https://docs.google.com/document/d/1eB34zYLuQHshN_Tt8BbLSehHyvxqWupVdB09CCbn7g4/edit Bug: 1064920 Change-Id: I55fa951f18692d642c747cff168d8239de69efb6
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Apr 2, 2020
[1] is changing how COEP is set to (dedicated) worker top-level scripts. Before the change it inherited the parent policy. After the change it gets the policy from the HTTP headers in the response, but the loading is blocked when the parent has COEP: require-corp but the child doesn't have COEP: require-corp. As described in [2], this can be solved by a project called PlzDedicatedWorker, but it will take time to ship it. As a short-term fix, this implements the blocking part. No reporting is implemented. This fix is important because this is a breaking change. We would like to land this by M83. 1: WICG/cross-origin-embedder-policy#13 2: https://docs.google.com/document/d/1eB34zYLuQHshN_Tt8BbLSehHyvxqWupVdB09CCbn7g4/edit Bug: 1064920 Change-Id: I55fa951f18692d642c747cff168d8239de69efb6 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2126652 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org> Cr-Commit-Position: refs/heads/master@{#755782}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Apr 2, 2020
[1] is changing how COEP is set to (dedicated) worker top-level scripts. Before the change it inherited the parent policy. After the change it gets the policy from the HTTP headers in the response, but the loading is blocked when the parent has COEP: require-corp but the child doesn't have COEP: require-corp. As described in [2], this can be solved by a project called PlzDedicatedWorker, but it will take time to ship it. As a short-term fix, this implements the blocking part. No reporting is implemented. This fix is important because this is a breaking change. We would like to land this by M83. 1: WICG/cross-origin-embedder-policy#13 2: https://docs.google.com/document/d/1eB34zYLuQHshN_Tt8BbLSehHyvxqWupVdB09CCbn7g4/edit Bug: 1064920 Change-Id: I55fa951f18692d642c747cff168d8239de69efb6 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2126652 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org> Cr-Commit-Position: refs/heads/master@{#755782}
blueboxd
pushed a commit
to blueboxd/chromium-legacy
that referenced
this pull request
Apr 2, 2020
[1] is changing how COEP is set to (dedicated) worker top-level scripts. Before the change it inherited the parent policy. After the change it gets the policy from the HTTP headers in the response, but the loading is blocked when the parent has COEP: require-corp but the child doesn't have COEP: require-corp. As described in [2], this can be solved by a project called PlzDedicatedWorker, but it will take time to ship it. As a short-term fix, this implements the blocking part. No reporting is implemented. This fix is important because this is a breaking change. We would like to land this by M83. 1: WICG/cross-origin-embedder-policy#13 2: https://docs.google.com/document/d/1eB34zYLuQHshN_Tt8BbLSehHyvxqWupVdB09CCbn7g4/edit Bug: 1064920 Change-Id: I55fa951f18692d642c747cff168d8239de69efb6 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2126652 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org> Cr-Commit-Position: refs/heads/master@{#755782}
xeonchen
pushed a commit
to xeonchen/gecko
that referenced
this pull request
Apr 6, 2020
… COEP when its parent has COEP, a=testonly Automatic update from web-platform-tests DedicatedWorker should reject script w/o COEP when its parent has COEP [1] is changing how COEP is set to (dedicated) worker top-level scripts. Before the change it inherited the parent policy. After the change it gets the policy from the HTTP headers in the response, but the loading is blocked when the parent has COEP: require-corp but the child doesn't have COEP: require-corp. As described in [2], this can be solved by a project called PlzDedicatedWorker, but it will take time to ship it. As a short-term fix, this implements the blocking part. No reporting is implemented. This fix is important because this is a breaking change. We would like to land this by M83. 1: WICG/cross-origin-embedder-policy#13 2: https://docs.google.com/document/d/1eB34zYLuQHshN_Tt8BbLSehHyvxqWupVdB09CCbn7g4/edit Bug: 1064920 Change-Id: I55fa951f18692d642c747cff168d8239de69efb6 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2126652 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org> Cr-Commit-Position: refs/heads/master@{#755782} -- wpt-commits: 9446a9251cd68c7abdee377fe5a9ad8f40db5c44 wpt-pr: 22526
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this pull request
Apr 6, 2020
… COEP when its parent has COEP, a=testonly Automatic update from web-platform-tests DedicatedWorker should reject script w/o COEP when its parent has COEP [1] is changing how COEP is set to (dedicated) worker top-level scripts. Before the change it inherited the parent policy. After the change it gets the policy from the HTTP headers in the response, but the loading is blocked when the parent has COEP: require-corp but the child doesn't have COEP: require-corp. As described in [2], this can be solved by a project called PlzDedicatedWorker, but it will take time to ship it. As a short-term fix, this implements the blocking part. No reporting is implemented. This fix is important because this is a breaking change. We would like to land this by M83. 1: WICG/cross-origin-embedder-policy#13 2: https://docs.google.com/document/d/1eB34zYLuQHshN_Tt8BbLSehHyvxqWupVdB09CCbn7g4/edit Bug: 1064920 Change-Id: I55fa951f18692d642c747cff168d8239de69efb6 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2126652 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org> Cr-Commit-Position: refs/heads/master@{#755782} -- wpt-commits: 9446a9251cd68c7abdee377fe5a9ad8f40db5c44 wpt-pr: 22526
|
@mikewest PTAL |
mikewest
approved these changes
Apr 16, 2020
| To <dfn abstract-op>check a global object's embedder policy</dfn>, given a [=global object=] | ||
| (|global|), a [=environment settings object=] (|owner|) and a [=request=] (|request|), then | ||
|
|
||
| 1. If |global| is a {{SharedWorkerGlobalScope}} or |global| is a {{ServiceWorkerGlobalScope}}, then |
There was a problem hiding this comment.
This is fine for this patch, but do we really want to punt entirely on SharedWorker/ServiceWorker? I wonder if we need to do something to ensure that they can't be used as bridges between COEP and non-COEP pages?
There was a problem hiding this comment.
I think the difference is that SharedWorker/ServiceWorker forms its own browser context group but DedicatedWorker doesn't.
There was a problem hiding this comment.
They form their own agent cluster and more importantly don't have a single owner.
There was a problem hiding this comment.
Browsing context groups are only for holding top-level browsing contexts and agent clusters whose "root agent" is a window agent.
Co-Authored-By: Mike West <mike@mikewest.org>
Co-Authored-By: Mike West <mike@mikewest.org>
|
Thank you! |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Stop inheriting owner's policy, and use response's policy instead. Also
add a check to keep the invariance that when owner's COEP is
"require-corp" then the dedicated worker's COEP must also be
"require-corp".
Fixes whatwg/html#4924.