Skip to content
Permalink
Browse files

MIX: First stab at SW integration.

As discussed in [1], it makes sense to pave the cowpath of allowing a
Service Worker to 'fetch()' a request made by a page directly, while
disallowing it from making requests on its own. Hopefully the current
patch is a reasonable reading of Fetch. :)

[1]: https://lists.w3.org/Archives/Public/public-webappsec/2015Jul/0131.html
  • Loading branch information...
mikewest committed Jul 20, 2015
1 parent 521ec0d commit e577d4d5746bd33248a7dd4dbe0db515c16f20fb
Showing with 76 additions and 39 deletions.
  1. +51 −35 specs/mixedcontent/index.html
  2. +25 −4 specs/mixedcontent/index.src.html
@@ -71,7 +71,7 @@
<h1 class="p-name no-ref" id="title">Mixed Content</h1>

<h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft,
<time class="dt-updated" datetime="2015-07-06">6 July 2015</time></span></h2>
<time class="dt-updated" datetime="2015-07-20">20 July 2015</time></span></h2>

<div data-fill-with="spec-metadata">
<dl>
@@ -317,8 +317,7 @@ <h2 class="heading settled" data-level="2" id="terms"><span class="secno">2. </s
<a data-link-type="dfn" href="https://tools.ietf.org/html/rfc6454#section-3.2">origin</a> is <a data-link-type="dfn" href="#insecure-origin">insecure</a>, <strong>and</strong> the context
responsible for loading it restricts mixed content. See
<a href="#categorize-settings-object">§5.1
Does settings object restrict mixed content?
</a> for a normative definition of the latter.
Does settings object restrict mixed content?</a> for a normative definition of the latter.


<div class="example" id="example-0665cf9f"><a class="self-link" href="#example-0665cf9f"></a>
@@ -551,8 +550,7 @@ <h3 class="heading settled" data-level="3.1" id="category-optionally-blockable">


<p class="note" role="note">Note: We further limit this category in <a href="#should-block-fetch">§5.2
Should fetching request be blocked as mixed content?
</a> by
Should fetching request be blocked as mixed content?</a> by
force-failing any CORS-enabled request. This means that mixed content images
loaded via <code>&lt;img crossorigin ...></code> will be blocked. This is
a good example of the general principle that a category of content falls
@@ -584,8 +582,7 @@ <h3 class="heading settled" data-level="3.2" id="category-blockable"><span class
<a data-link-type="dfn" href="http://www.w3.org/TR/html5/browsers.html#navigate">navigations</a>, which are not considered mixed
content. See the treatment of <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-context-frame-type">request context frame type</a> in
<a href="#should-block-fetch">§5.2
Should fetching request be blocked as mixed content?
</a> for details.</p>
Should fetching request be blocked as mixed content?</a> for details.</p>



@@ -620,11 +617,9 @@ <h2 class="heading settled" data-level="4" id="strict-checking"><span class="sec
<dfn data-dfn-type="dfn" data-noexport="" id="strict-mixed-content-checking-flag">strict mixed content checking flag<a class="self-link" href="#strict-mixed-content-checking-flag"></a></dfn> which is set to
<code>false</code> unless otherwise specified. This flag is checked in both
<a href="#should-block-fetch">§5.2
Should fetching request be blocked as mixed content?
</a> and <a href="#should-block-response">§5.3
Should fetching request be blocked as mixed content?</a> and <a href="#should-block-response">§5.3
Should response to request be blocked as mixed
content?
</a> to determine whether
content?</a> to determine whether
the <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/html5/dom.html#document">Document</a></code> is in <dfn data-dfn-type="dfn" data-noexport="" id="strict-mode">strict mode<a class="self-link" href="#strict-mode"></a></dfn>.</p>


@@ -778,8 +773,7 @@ <h2 class="heading settled" data-level="5" id="algorithms"><span class="secno">5

<p>Fetch calls the algorithm defined in
<a href="#should-block-fetch">§5.2
Should fetching request be blocked as mixed content?
</a> during
Should fetching request be blocked as mixed content?</a> during
<a href="https://fetch.spec.whatwg.org/#fetching">Step 4 of the Fetching
algorithm</a> <a data-link-type="biblio" href="#biblio-fetch">[FETCH]</a> in order to block network traffic to <a data-link-type="dfn" href="#a-priori-insecure-origin"><em>a
priori</em> insecure origins</a>.</p>
@@ -792,8 +786,7 @@ <h2 class="heading settled" data-level="5" id="algorithms"><span class="secno">5
<p>Further, Fetch calls the algorithm defined in
<a href="#should-block-response">§5.3
Should response to request be blocked as mixed
content?
</a> during
content?</a> during
<a href="https://fetch.spec.whatwg.org/#fetching">Step 7 of the Fetching
algorithm</a> <a data-link-type="biblio" href="#biblio-fetch">[FETCH]</a> in order to block responses from <a data-link-type="dfn" href="#insecure-origin">insecure
origins</a>.</p>
@@ -804,20 +797,16 @@ <h2 class="heading settled" data-level="5" id="algorithms"><span class="secno">5
resource is <a data-link-type="dfn" href="#insecure-origin">insecure</a> once the TLS-handshake has finished. See
steps 4.1 and 4.2 of the algorithm defined in <a href="#should-block-response">§5.3
Should response to request be blocked as mixed
content?
</a> for
content?</a> for
detail.</p>


<p>The algorithm defined in <a href="#categorize-settings-object">§5.1
Does settings object restrict mixed content?
</a> is used by both
Does settings object restrict mixed content?</a> is used by both
<a href="#should-block-fetch">§5.2
Should fetching request be blocked as mixed content?
</a> and <a href="#should-block-response">§5.3
Should fetching request be blocked as mixed content?</a> and <a href="#should-block-response">§5.3
Should response to request be blocked as mixed
content?
</a>, as well as
content?</a>, as well as
<a href="#websockets-integration">§6 Modifications to WebSockets</a> in order to determine whether an insecure request
ought to be blocked.</p>

@@ -990,8 +979,7 @@ <h3 class="heading settled" data-level="5.2" id="should-block-fetch"><span class

<li>
If <a href="#categorize-settings-object">§5.1
Does settings object restrict mixed content?
</a> returns <code>Does Not Restrict
Does settings object restrict mixed content?</a> returns <code>Does Not Restrict
Mixed Content</code> when applied to <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-client">client</a>,
return <strong>allowed</strong>.

@@ -1016,6 +1004,13 @@ <h3 class="heading settled" data-level="5.2" id="should-block-fetch"><span class

<ol>

<li>
If <var>request</var>’s <code>window</code> is not an <a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#settings-object">environment
settings object</a> (e.g. it is either <code>client</code> or
<code>no-window</code>, return <strong>blocked</strong>.



<li>
If <var>request</var>’s <code>mode</code> is <code>CORS</code> or
<code>CORS-with-forced-preflight</code>, return
@@ -1024,8 +1019,23 @@ <h3 class="heading settled" data-level="5.2" id="should-block-fetch"><span class


<li>
If <var>context</var> is not an <a data-link-type="dfn" href="#optionally_blockable-request-contexts">optionally-blockable request
context</a>, return <strong>blocked</strong>.
If <var>context</var> is <code>fetch</code>:


<ol>

<li>
If <var>request</var>’s <code>mode</code> is not
<code>no-cors</code>, return <strong>blocked</strong>.



</ol>


<li>
Otherwise, if <var>context</var> is an <a data-link-type="dfn" href="#optionally_blockable-request-contexts">optionally-blockable
request context</a>, return <strong>blocked</strong>.



@@ -1055,6 +1065,14 @@ <h3 class="heading settled" data-level="5.2" id="should-block-fetch"><span class

</ol>



<p class="note" role="note">Note: We special-case <code>fetch</code> in order to allow Service Workers
to passthrough requests from Documents. We rely on the request’s
<code>window</code> property to be set to an environment settings object
when a Document initiates a fetch via some declarative mechanism, and to
<code>no-window</code> or <code>client</code> when called imperatively.</p>


</section>

@@ -1086,8 +1104,7 @@ <h3 class="heading settled" data-level="5.3" id="should-block-response"><span cl

<li>
If <a href="#categorize-settings-object">§5.1
Does settings object restrict mixed content?
</a> returns <code>Does Not Restrict
Does settings object restrict mixed content?</a> returns <code>Does Not Restrict
Mixed Content</code> when applied to <var>request</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-client">client</a>,
return <strong>allowed</strong>.

@@ -1122,8 +1139,9 @@ <h3 class="heading settled" data-level="5.3" id="should-block-response"><span cl


<p class="note" role="note">Note: This covers both cases in which unauthenticated resources are
requested, as well as cases in which the TLS handshake succeeds,
but the user agent chooses to hold it to a higher standard.</p>
returned (by a Service Worker, for example), as well as cases in
which the TLS handshake succeeds, but the user agent chooses to hold
it to a higher standard.</p>



@@ -1183,8 +1201,7 @@ <h2 class="heading settled" data-level="6" id="websockets-integration"><span cla
<li>
If <var>secure</var> is <strong>false</strong>, and the algorithm in
<a href="#categorize-settings-object">§5.1
Does settings object restrict mixed content?
</a> returns <code>Restricts Mixed
Does settings object restrict mixed content?</a> returns <code>Restricts Mixed
Content</code> when applied to <var>client</var>’s <var>entry
script</var>’s
<a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#relevant-settings-object-for-a-script">relevant settings
@@ -1275,8 +1292,7 @@ <h3 class="heading settled" data-level="7.2" id="requirements-forms"><span class


<p>If <a href="#categorize-settings-object">§5.1
Does settings object restrict mixed content?
</a> returns <code>Restricts Mixed
Does settings object restrict mixed content?</a> returns <code>Restricts Mixed
Content</code> when applied to a <code class="idl"><a data-link-type="idl" href="http://www.w3.org/TR/html5/dom.html#document">Document</a></code>'s <a data-link-type="dfn" href="http://www.w3.org/TR/html5/webappapis.html#incumbent-settings-object">incumbent settings
object</a>, then a user agent MAY choose to warn users of the presence of
one or more <a data-link-type="element" href="http://www.w3.org/TR/html5/forms.html#the-form-element">form</a> elements with <a data-link-type="element-attr" href="http://www.w3.org/TR/html5/forms.html#attr-fs-action">action</a>
@@ -682,14 +682,28 @@ <h3 id="should-block-fetch">
If <var>origin</var> is <a><i lang="la">a priori</i> insecure</a>:

<ol>
<li>
If <var>request</var>'s <code>window</code> is not an <a>environment
settings object</a> (e.g. it is either <code>client</code> or

This comment has been minimized.

Copy link
@annevk

annevk Jul 20, 2015

Member

You can just check for "no-window" here I think. By the time a request reaches Mixed Content "client" is normalized away.

This comment has been minimized.

Copy link
@mikewest

mikewest Jul 20, 2015

Author Member

Hrm. Ok, so how do we distinguish a document's fetch([insecure url goes here]) from fetch(event.response)?

I think the former starts with a window of "client", doesn't it?

This comment has been minimized.

Copy link
@annevk

annevk Jul 20, 2015

Member

Yeah, you can check if client equals window. (Or you could explicitly check client's global object being a Window object.)

<code>no-window</code>, return <strong>blocked</strong>.
</li>
<li>
If <var>request</var>'s <code>mode</code> is <code>CORS</code> or
<code>CORS-with-forced-preflight</code>, return
<strong>blocked</strong>.
</li>
<li>
If <var>context</var> is not an <a>optionally-blockable request
context</a>, return <strong>blocked</strong>.
If <var>context</var> is <code>fetch</code>:

<ol>
<li>
If <var>request</var>'s <code>mode</code> is not
<code>no-cors</code>, return <strong>blocked</strong>.
</li>
</ol>
<li>
Otherwise, if <var>context</var> is an <a>optionally-blockable
request context</a>, return <strong>blocked</strong>.
</li>
<li>
If the user agent is configured to block <a>optionally-blockable</a>
@@ -707,6 +721,12 @@ <h3 id="should-block-fetch">
return <strong>allowed</strong>.
</li>
</ol>

Note: We special-case <code>fetch</code> in order to allow Service Workers
to passthrough requests from Documents. We rely on the request's
<code>window</code> property to be set to an environment settings object
when a Document initiates a fetch via some declarative mechanism, and to
<code>no-window</code> or <code>client</code> when called imperatively.
</section>

<section>
@@ -753,8 +773,9 @@ <h3 id="should-block-response">
<code>authenticated</code>, return <strong>blocked</strong>.

Note: This covers both cases in which unauthenticated resources are
requested, as well as cases in which the TLS handshake succeeds,
but the user agent chooses to hold it to a higher standard.
returned (by a Service Worker, for example), as well as cases in
which the TLS handshake succeeds, but the user agent chooses to hold
it to a higher standard.
</li>
</ol>
</li>

0 comments on commit e577d4d

Please sign in to comment.
You can’t perform that action at this time.