Skip to content
Permalink
Browse files

Upstream navigation hooks from CSP

This will enable implementation of 'frame-ancestors' and 'form-action', and makes a bit of progress towards #1230.
  • Loading branch information...
mikewest authored and annevk committed Aug 18, 2016
1 parent bae9fc5 commit 2083b0053a059f692a0a95547ba9b6bd0c511094
Showing with 64 additions and 25 deletions.
  1. +64 −25 source
89 source
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#initialize-global-object-csp">Initialize a global object's CSP list</dfn> algorithm</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#initialize-document-csp">Initialize a Document's CSP list</dfn> algorithm</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#should-block-inline">Should element's inline behavior be blocked by Content Security Policy?</dfn> algorithm</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#should-block-navigation-request">Should navigation request of type from source in target be blocked by Content Security Policy?</dfn> algorithm</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#should-block-navigation-response">Should navigation response to navigation request of type from source in target be blocked by Content Security Policy?</dfn> algorithm</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#report-uri"><code data-x="">report-uri</code> directive</dfn></li>
<li>The <dfn data-noexport="" data-x="csp-EnsureCSPDoesNotBlockStringCompilation" data-x-href="https://w3c.github.io/webappsec-csp/#can-compile-strings">EnsureCSPDoesNotBlockStringCompilation</dfn> abstract operation</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#allow-base-for-document">Is base allowed for Document?</dfn> algorithm</li>

</li>

<li><p>Let <var>navigationType</var> be "<code data-x="">form-submission</code>" if the <span
data-x="navigate">navigation algorithm</span> was invoked as a result of the <span
data-x="concept-form-submit">form submission algorithm</span>, and "<code data-x="">other</code>"
otherwise.</p></li>

<li><p>Return to whatever algorithm invoked the navigation steps and continue running these steps
<span>in parallel</span>.</p></li>

<dl>

<dt>If <var>resource</var> is a <span data-x="concept-response">response</span></dt>
<dd><p>Run <span>process a navigate response</span> with <var>resource</var> and
<dd><p>Run <span>process a navigate response</span> with null, <var>resource</var>,
<var>navigationType</var>, the <span>source browsing context</span>, and
<var>browsingContext</var>, and then abort these steps.</p></dd>

<dt>If <var>resource</var> is a <span data-x="concept-request">request</span> whose <span
the <span>override URL</span>.</p>
</li>

<li><p>Run <span>process a navigate response</span> with <var>response</var> and
<li><p>Run <span>process a navigate response</span> with <var>resource</var>,
<var>response</var>, <var>navigationType</var>, the <span>source browsing context</span>, and
<var>browsingContext</var>, and then abort these steps.</p></li>
</ol>

<dt>If <var>resource</var> is a <span data-x="concept-request">request</span> whose <span
data-x="concept-request-url">url</span>'s <span data-x="concept-url-scheme">scheme</span>
is a <span>fetch scheme</span></dt>
<dd><p>Run <span>process a navigate fetch</span> given <var>resource</var> and
<var>browsingContext</var>.</p></dd>
<dd><p>Run <span>process a navigate fetch</span> given <var>resource</var>, the <span>source
browsing context</span>, and <var>browsing context</var>, and <var>type</var>.</p></dd>

<dt>Otherwise, <var>resource</var> is a <span data-x="concept-request">request</span> whose
<span data-x="concept-request-url">url</span>'s <span data-x="concept-url-scheme">scheme</span>
</ol>

<p>To <dfn data-export="">process a navigate fetch</dfn>, given a <span
data-x="concept-request">request</span> <var>request</var> and <span>browsing context</span>
<var>browsingContext</var>, run these steps:</p>
data-x="concept-request">request</span> <var>request</var>, <span>browsing context</span>
<var>sourceBrowsingContext</var>, <span>browsing context</span> <var>browsingContext</var>, and
string <var>type</var>, run these steps:</p>

<ol>
<li><p>Let <var>response</var> be null.</p></li>

<li><p>Set <var>request</var>'s <span data-x="concept-request-client">client</span> to the
<span>source browsing context</span>'s <span>active document</span>'s <span>relevant settings
<li><p>Set <var>request</var>'s <span data-x="concept-request-client">client</span> to
<var>sourceBrowsingContext</var>'s <span>active document</span>'s <span>relevant settings
object</span>, <span data-x="concept-request-target-browsing-context">target browsing
context</span> to <var>browsingContext</var>, <span
data-x="concept-request-destination">destination</span> to "<code data-x="">document</code>",
<li><p>Set <var>request</var>'s <span>omit-<code>Origin</code>-header flag</span>.

<li><p>If <var>request</var>'s <span data-x="concept-request-method">method</span> is not `<code
data-x="">GET</code>`, or, if the <span data-x="navigate">navigation algorithm</span> was invoked
as a result of the <span data-x="concept-form-submit">form submission algorithm</span>, then if
there is an <span>origin</span> of the <span>active document</span> of the <span>source browsing
context</span>, unset <var>request</var>'s <span>omit-<code>Origin</code>-header
flag</span>.</p></li>
data-x="">GET</code>`, or, if <var>type</var> is "<code data-x="">form-submission</code>", then
if there is an <span>origin</span> of the <span>active document</span> of
<var>sourceBrowsingContext</var>, unset <var>request</var>'s
<span>omit-<code>Origin</code>-header flag</span>.</p></li>

<li><p>Otherwise, if <var>browsingContext</var> is a <span>child browsing context</span>, and the
<span>browsing context container</span> of <var>browsingContext</var> has a <span>browsing
context scope origin</span>, set <var>request</var>'s <span
data-x="concept-request-origin">origin</span> to that <span>browsing context scope origin</span>
and unset <var>request</var>'s <span>omit-<code>Origin</code>-header flag</span>.</p></li>

<!--FETCH--><li><p><span data-x="concept-fetch">Fetch</span> <var>request</var>.</p></li>
<li>
<p>If the <span>Should navigation request of type from source in target be blocked by Content
Security Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when executed upon
<var>request</var>, <var>navigationType</var>, <var>sourceBrowsingContext</var>, and
<var>browsingContext</var>, then set <var>response</var> to a network error.
<ref spec="CSP"></p>

<p>Otherwise:</p>

<ol>
<!--FETCH--><li><p><span data-x="concept-fetch">Fetch</span> <var>request</var>.</p></li>

<li><p>Wait for the <span data-x="concept-task">task</span> on the <span>networking task
source</span> to <span>process response</span> and set <var>response</var> to the
result.</p></li>
</ol>
</li>

<li><p>Wait for the <span data-x="concept-task">task</span> on the <span>networking task
source</span> to <span>process response</span> and set <var>response</var> to the
result.</p></li>

<li id="navigate-redirect-step">
<p>If <var>response</var> has a <span data-x="concept-response-location-url">location URL</span>
data-x="concept-url-scheme">scheme</span> is a <span>fetch scheme</span>, then run
<span>process a navigate fetch</span> with a new <span data-x="concept-request">request</span>
whose <span data-x="concept-request-url">url</span> is <var>response</var>'s <span
data-x="concept-response-location-url">location URL</span>.
data-x="concept-response-location-url">location URL</span>, <var>sourceBrowsingContext</var>,
<var>browsingContext</var>, and <var>type</var>.

<li><p>Otherwise, if <var>response</var> has a <span
data-x="concept-response-location-url">location URL</span> that is a <span>URL</span>, run the
the fallback response actually is.</p>
</li>

<li><p>Run <span>process a navigate response</span> given <var>response</var> and
<li><p>Run <span>process a navigate response</span> given <var>request</var>,
<var>response</var>, <var>navigationType</var>, the <span>source browsing context</span>, and
<var>browsingContext</var>.</p></li>
</ol>

<p>To <dfn data-export="">process a navigate response</dfn>, given a <span
data-x="concept-response">response</span> <var>response</var> and <span>browsing context</span>
<var>browsingContext</var>, run these steps:</p>
data-x="concept-request">request</span> <var>request</var>, a <span
data-x="concept-response">response</span> <var>response</var>, a string <var>type</var>, and two
<span>browsing contexts</span> <var>source</var> and <var>browsingContext</var>, run these
steps:</p>

<ol>
<li>
<p>If <var>response</var> is a network error, then <span
data-x="navigate-ua-inline">display the inline content with an appropriate error shown to the
user</span>, with the newly created <code>Document</code> object's <span>origin</span> set to a
new <span data-x="concept-origin-opaque">opaque origin</span>, and abort these steps.</p>
<p>If any of the following are true, then <span data-x="navigate-ua-inline">display the inline
content with an appropriate error shown to the user</span>, with the newly created
<code>Document</code> object's <span>origin</span> set to a new <span
data-x="concept-origin-opaque">opaque origin</span>, and abort these steps.</p>

<ul>
<li><p><var>response</var> is a network error.</p></li>

<li><p class="&#x0058;&#x0058;&#x0058;">TODO: Define <code data-x="">X-Frame-Options</code>
processing here [<a
href="https://github.com/whatwg/html/issue/1230">whatwg/html#1230</a>].</p></li>

<li><p>The <span>Should navigation response to navigation request of type from source in target
be blocked by Content Security Policy?</span> algorithm returns "<code
data-x="">Blocked</code>" when executed upon <var>request</var>, <var>response</var>,
<var>type</var>, <var>source</var>, and <var>browsingContext</var>. <ref spec="CSP"></p></li>
</ul>

<p class="note">This is where the network errors defined and propagated by the WHATWG Fetch
standard, such as DNS or TLS errors, end up being displayed to users. <ref spec=FETCH></p>

0 comments on commit 2083b00

Please sign in to comment.
You can’t perform that action at this time.