Upstream navigation hooks from CSP

This will enable implementation of 'frame-ancestors' and 'form-action', and makes a bit of progress towards #1230.
whatwg · Aug 18, 2016 · 2083b00 · 2083b00
1 parent bae9fc5
commit 2083b00
Showing 1 changed file with 64 additions and 25 deletions.
diff --git a/source b/source
@@ -3942,6 +3942,8 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
      <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#initialize-global-object-csp">Initialize a global object's CSP list</dfn> algorithm</li>
      <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#initialize-document-csp">Initialize a Document's CSP list</dfn> algorithm</li>
      <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#should-block-inline">Should element's inline behavior be blocked by Content Security Policy?</dfn> algorithm</li>
+     <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#should-block-navigation-request">Should navigation request of type from source in target be blocked by Content Security Policy?</dfn> algorithm</li>
+     <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#should-block-navigation-response">Should navigation response to navigation request of type from source in target be blocked by Content Security Policy?</dfn> algorithm</li>
      <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#report-uri"><code data-x="">report-uri</code> directive</dfn></li>
      <li>The <dfn data-noexport="" data-x="csp-EnsureCSPDoesNotBlockStringCompilation" data-x-href="https://w3c.github.io/webappsec-csp/#can-compile-strings">EnsureCSPDoesNotBlockStringCompilation</dfn> abstract operation</li>
      <li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#allow-base-for-document">Is base allowed for Document?</dfn> algorithm</li>
@@ -81893,6 +81895,11 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
 
    </li>
 
+   <li><p>Let <var>navigationType</var> be "<code data-x="">form-submission</code>" if the <span
+   data-x="navigate">navigation algorithm</span> was invoked as a result of the <span
+   data-x="concept-form-submit">form submission algorithm</span>, and "<code data-x="">other</code>"
+   otherwise.</p></li>
+
    <li><p>Return to whatever algorithm invoked the navigation steps and continue running these steps
    <span>in parallel</span>.</p></li>
 
@@ -81904,7 +81911,8 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
     <dl>
 
      <dt>If <var>resource</var> is a <span data-x="concept-response">response</span></dt>
-     <dd><p>Run <span>process a navigate response</span> with <var>resource</var> and
+     <dd><p>Run <span>process a navigate response</span> with null, <var>resource</var>,
+     <var>navigationType</var>, the <span>source browsing context</span>, and
      <var>browsingContext</var>, and then abort these steps.</p></dd>
 
      <dt>If <var>resource</var> is a <span data-x="concept-request">request</span> whose <span
@@ -81987,7 +81995,8 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
         the <span>override URL</span>.</p>
        </li>
 
-       <li><p>Run <span>process a navigate response</span> with <var>response</var> and
+       <li><p>Run <span>process a navigate response</span> with <var>resource</var>,
+       <var>response</var>, <var>navigationType</var>, the <span>source browsing context</span>, and
        <var>browsingContext</var>, and then abort these steps.</p></li>
       </ol>
 
@@ -82042,8 +82051,8 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
      <dt>If <var>resource</var> is a <span data-x="concept-request">request</span> whose <span
      data-x="concept-request-url">url</span>'s <span data-x="concept-url-scheme">scheme</span>
      is a <span>fetch scheme</span></dt>
-     <dd><p>Run <span>process a navigate fetch</span> given <var>resource</var> and
-     <var>browsingContext</var>.</p></dd>
+     <dd><p>Run <span>process a navigate fetch</span> given <var>resource</var>, the <span>source
+     browsing context</span>, and <var>browsing context</var>, and <var>type</var>.</p></dd>
 
      <dt>Otherwise, <var>resource</var> is a <span data-x="concept-request">request</span> whose
      <span data-x="concept-request-url">url</span>'s <span data-x="concept-url-scheme">scheme</span>
@@ -82056,14 +82065,15 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
   </ol>
 
   <p>To <dfn data-export="">process a navigate fetch</dfn>, given a <span
-  data-x="concept-request">request</span> <var>request</var> and <span>browsing context</span>
-  <var>browsingContext</var>, run these steps:</p>
+  data-x="concept-request">request</span> <var>request</var>, <span>browsing context</span>
+  <var>sourceBrowsingContext</var>, <span>browsing context</span> <var>browsingContext</var>, and
+  string <var>type</var>, run these steps:</p>
 
   <ol>
    <li><p>Let <var>response</var> be null.</p></li>
 
-   <li><p>Set <var>request</var>'s <span data-x="concept-request-client">client</span> to the
-   <span>source browsing context</span>'s <span>active document</span>'s <span>relevant settings
+   <li><p>Set <var>request</var>'s <span data-x="concept-request-client">client</span> to
+   <var>sourceBrowsingContext</var>'s <span>active document</span>'s <span>relevant settings
    object</span>, <span data-x="concept-request-target-browsing-context">target browsing
    context</span> to <var>browsingContext</var>, <span
    data-x="concept-request-destination">destination</span> to "<code data-x="">document</code>",
@@ -82076,23 +82086,35 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
    <li><p>Set <var>request</var>'s <span>omit-<code>Origin</code>-header flag</span>.
 
    <li><p>If <var>request</var>'s <span data-x="concept-request-method">method</span> is not `<code
-   data-x="">GET</code>`, or, if the <span data-x="navigate">navigation algorithm</span> was invoked
-   as a result of the <span data-x="concept-form-submit">form submission algorithm</span>, then if
-   there is an <span>origin</span> of the <span>active document</span> of the <span>source browsing
-   context</span>, unset <var>request</var>'s <span>omit-<code>Origin</code>-header
-   flag</span>.</p></li>
+   data-x="">GET</code>`, or, if <var>type</var> is "<code data-x="">form-submission</code>", then
+   if there is an <span>origin</span> of the <span>active document</span> of
+   <var>sourceBrowsingContext</var>, unset <var>request</var>'s
+   <span>omit-<code>Origin</code>-header flag</span>.</p></li>
 
    <li><p>Otherwise, if <var>browsingContext</var> is a <span>child browsing context</span>, and the
    <span>browsing context container</span> of <var>browsingContext</var> has a <span>browsing
    context scope origin</span>, set <var>request</var>'s <span
    data-x="concept-request-origin">origin</span> to that <span>browsing context scope origin</span>
    and unset <var>request</var>'s <span>omit-<code>Origin</code>-header flag</span>.</p></li>
 
-   <!--FETCH--><li><p><span data-x="concept-fetch">Fetch</span> <var>request</var>.</p></li>
+   <li>
+    <p>If the <span>Should navigation request of type from source in target be blocked by Content
+    Security Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when executed upon
+    <var>request</var>, <var>navigationType</var>, <var>sourceBrowsingContext</var>, and
+    <var>browsingContext</var>, then set <var>response</var> to a network error.
+    <ref spec="CSP"></p>
+
+    <p>Otherwise:</p>
+
+    <ol>
+     <!--FETCH--><li><p><span data-x="concept-fetch">Fetch</span> <var>request</var>.</p></li>
+
+     <li><p>Wait for the <span data-x="concept-task">task</span> on the <span>networking task
+     source</span> to <span>process response</span> and set <var>response</var> to the
+     result.</p></li>
+    </ol>
+   </li>
 
-   <li><p>Wait for the <span data-x="concept-task">task</span> on the <span>networking task
-   source</span> to <span>process response</span> and set <var>response</var> to the
-   result.</p></li>
 
    <li id="navigate-redirect-step">
     <p>If <var>response</var> has a <span data-x="concept-response-location-url">location URL</span>
@@ -82117,7 +82139,8 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
    data-x="concept-url-scheme">scheme</span> is a <span>fetch scheme</span>, then run
    <span>process a navigate fetch</span> with a new <span data-x="concept-request">request</span>
    whose <span data-x="concept-request-url">url</span> is <var>response</var>'s <span
-   data-x="concept-response-location-url">location URL</span>.
+   data-x="concept-response-location-url">location URL</span>, <var>sourceBrowsingContext</var>,
+   <var>browsingContext</var>, and <var>type</var>.
 
    <li><p>Otherwise, if <var>response</var> has a <span
    data-x="concept-response-location-url">location URL</span> that is a <span>URL</span>, run the
@@ -82185,20 +82208,36 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
     the fallback response actually is.</p>
    </li>
 
-   <li><p>Run <span>process a navigate response</span> given <var>response</var> and
+   <li><p>Run <span>process a navigate response</span> given <var>request</var>,
+   <var>response</var>, <var>navigationType</var>, the <span>source browsing context</span>, and
    <var>browsingContext</var>.</p></li>
   </ol>
 
   <p>To <dfn data-export="">process a navigate response</dfn>, given a <span
-  data-x="concept-response">response</span> <var>response</var> and <span>browsing context</span>
-  <var>browsingContext</var>, run these steps:</p>
+  data-x="concept-request">request</span> <var>request</var>, a <span
+  data-x="concept-response">response</span> <var>response</var>, a string <var>type</var>, and two
+  <span>browsing contexts</span> <var>source</var> and <var>browsingContext</var>, run these
+  steps:</p>
 
   <ol>
    <li>
-    <p>If <var>response</var> is a network error, then <span
-    data-x="navigate-ua-inline">display the inline content with an appropriate error shown to the
-    user</span>, with the newly created <code>Document</code> object's <span>origin</span> set to a
-    new <span data-x="concept-origin-opaque">opaque origin</span>, and abort these steps.</p>
+    <p>If any of the following are true, then <span data-x="navigate-ua-inline">display the inline
+    content with an appropriate error shown to the user</span>, with the newly created
+    <code>Document</code> object's <span>origin</span> set to a new <span
+    data-x="concept-origin-opaque">opaque origin</span>, and abort these steps.</p>
+
+    <ul>
+     <li><p><var>response</var> is a network error.</p></li>
+
+     <li><p class="&#x0058;&#x0058;&#x0058;">TODO: Define <code data-x="">X-Frame-Options</code>
+     processing here [<a
+     href="https://github.com/whatwg/html/issue/1230">whatwg/html#1230</a>].</p></li>
+
+     <li><p>The <span>Should navigation response to navigation request of type from source in target
+     be blocked by Content Security Policy?</span> algorithm returns "<code
+     data-x="">Blocked</code>" when executed upon <var>request</var>, <var>response</var>,
+     <var>type</var>, <var>source</var>, and <var>browsingContext</var>. <ref spec="CSP"></p></li>
+    </ul>
 
     <p class="note">This is where the network errors defined and propagated by the WHATWG Fetch
     standard, such as DNS or TLS errors, end up being displayed to users. <ref spec=FETCH></p>