Permalink
Browse files

Create a new reserved environment for cross-origin redirects

Previously, a navigation would create a reserved environment once and use it for all redirects. This commit changes that so a new environment is created on a cross-origin redirect.

We now also run CSP for each redirect.

See also w3c/ServiceWorker#1316.
  • Loading branch information...
mattto authored and annevk committed Oct 8, 2018
1 parent 18ca106 commit 45ddbd291d1ccd6feab734f6bcd7e222dc7d770e
Showing with 73 additions and 36 deletions.
  1. +73 −36 source
View
109 source
@@ -2835,6 +2835,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
<li><dfn data-x="concept-request-header-list" data-x-href="https://fetch.spec.whatwg.org/#concept-request-header-list">header list</dfn></li>
<li><dfn data-x="concept-request-body" data-x-href="https://fetch.spec.whatwg.org/#concept-request-body">body</dfn></li>
<li><dfn data-x="concept-request-client" data-x-href="https://fetch.spec.whatwg.org/#concept-request-client">client</dfn></li>
<li><dfn data-x="concept-request-current-url" data-x-href="https://fetch.spec.whatwg.org/#concept-request-current-url">current URL</dfn></li>
<li><dfn data-x="concept-request-reserved-client" data-x-href="https://fetch.spec.whatwg.org/#concept-request-reserved-client">reserved client</dfn></li>
<li><dfn data-x="concept-request-replaces-client-id" data-x-href="https://fetch.spec.whatwg.org/#concept-request-replaces-client-id">replaces client id</dfn></li>
<li><dfn data-x="concept-request-initiator" data-x-href="https://fetch.spec.whatwg.org/#concept-request-initiator">initiator</dfn></li>
@@ -82092,54 +82093,90 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
data-x="concept-request-origin">origin</span> to that <span>browsing context scope
origin</span>.</p></li>
<li><p>Let <var>done</var> be false and <var>reservedEnvironment</var> be null.</p></li>
<li>
<p>Create a new <span>environment</span> <var>reservedEnvironment</var>, and set its <span
data-x="concept-environment-id">id</span> to a new unique opaque string, its <span
data-x="concept-environment-creation-url">creation URL</span> to <var>request</var>'s
<span>url</span>, and its <span data-x="concept-environment-target-browsing-context">target
browsing context</span> to <var>browsingContext</var>.</p>
<p>While <var>done</var> is false:</p>
<p class="note">The created environment's <span
data-x="concept-environment-active-service-worker">active service worker</span> is set in the
<span data-x="on-fetch-request-algorithm">handle fetch</span> algorithm during the fetch if its
<span data-x="concept-environment-creation-url">creation URL</span> matches a service worker
registration. <ref spec="SW"></p>
</li>
<ol>
<li><p>Let <var>currentURL</var> be <var>response</var>'s <span
data-x="concept-response-location-url">location URL</span>, if <var>response</var> is not null,
and <var>request</var>'s <span data-x="concept-request-current-url">current URL</span>
otherwise.</p></li>
<li><p>Set <var>request</var>'s <span data-x="concept-request-reserved-client">reserved
client</span> to <var>reservedEnvironment</var>.</p></li>
<li>
<p>If <var>reservedEnvironment</var> is not null and <var>currentURL</var>'s
<span data-x="concept-url-origin">origin</span> is not the <span
data-x="same origin">same</span> as <var>reservedEnvironment</var>'s <span
data-x="concept-environment-creation-url">creation URL</span>'s <span
data-x="concept-url-origin">origin</span>, then:</p>
<li>
<p>If the <span>Should navigation request of type from source in target be blocked by Content
Security Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when executed upon
<var>request</var>, <var>navigationType</var>, <var>sourceBrowsingContext</var>, and
<var>browsingContext</var>, then set <var>response</var> to a network error.
<ref spec="CSP"></p>
<ol>
<li><p>Run the <span>environment discarding steps</span> for
<var>reservedEnvironment</var>.</p></li>
<p>Otherwise:</p>
<li><p>Set <var>reservedEnvironment</var> to null.</p></li>
</ol>
</li>
<ol>
<!--FETCH--><li><p><span data-x="concept-fetch">Fetch</span> <var>request</var>.</p></li>
<li><p>If <var>reservedEnvironment</var> is null, then set <var>reservedEnvironment</var> to a
new <span>environment</span> whose <span data-x="concept-environment-id">id</span> is a
unique opaque string and <span
data-x="concept-environment-target-browsing-context">target browsing context</span> is
<var>browsingContext</var>.</p></li>
<li><p>Wait for the <span data-x="concept-task">task</span> on the <span>networking task
source</span> to <span>process response</span> and set <var>response</var> to the
result.</p></li>
</ol>
</li>
<li>
<p>Set <var>reservedEnvironment</var>'s <span
data-x="concept-environment-creation-url">creation URL</span> to <var>currentURL</var>.</p>
<p class="note">The created environment's <span
data-x="concept-environment-active-service-worker">active service worker</span> is set in the
<span data-x="on-fetch-request-algorithm">Handle Fetch</span> algorithm during the fetch if
the request URL matches a service worker registration. <ref spec="SW"></p>
</li>
<li id="navigate-redirect-step">
<p>If <var>response</var> has a <span data-x="concept-response-location-url">location URL</span>
and it is either failure or a <span>URL</span> whose <span
data-x="concept-url-scheme">scheme</span> is an <span>HTTP(S) scheme</span>, then set
<var>response</var> to the result of performing <span>HTTP-redirect fetch</span> using
<var>request</var> and <var>response</var> and then run this step again.</p>
<li><p>Set <var>request</var>'s <span data-x="concept-request-reserved-client">reserved
client</span> to <var>reservedEnvironment</var>.</p></li>
<p class="note">Navigation handles redirects manually as navigation is the only place in the web
platform that cares for redirects to <code data-x="mailto protocol">mailto:</code> URLs and
such.</p>
<li><p>If the <span>Should navigation request of type from source in target be blocked by
Content Security Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when
executed upon <var>request</var>, <var>navigationType</var>, <var>sourceBrowsingContext</var>,
and <var>browsingContext</var>, then set <var>response</var> to a <span>network error</span>
and set <var>done</var> to true. <ref spec="CSP"></p></li>
<li>
<p>Otherwise:</p>
<ol>
<li><p>If <var>response</var> is null, <!--FETCH--><span
data-x="concept-fetch">fetch</span> <var>request</var>.</p></li>
<li><p>Otherwise, perform <span>HTTP-redirect fetch</span> using
<var>request</var> and <var>response</var>.</p></li>
<li><p>Wait for the <span data-x="concept-task">task</span> on the <span>networking task
source</span> to <span>process response</span> and set <var>response</var> to the
result.</p></li>
<li>
<p>If <var>response</var> does not have a <span
data-x="concept-response-location-url">location URL</span> or the <span
data-x="concept-response-location-url">location URL</span> is not a <span>URL</span> whose
<span data-x="concept-url-scheme">scheme</span> is an <span>HTTP(S) scheme</span>,
then set <var>done</var> to true.</p>
<p class="note">Navigation handles redirects manually as navigation is the only place in
the web platform that cares for redirects to <code data-x="mailto protocol">mailto:</code>
URLs and such.</p>
</li>
</ol>
</li>
</ol>
</li>
<li><p>If <var>response</var>'s <span data-x="concept-response-location-url">location URL</span>
is failure, then set <var>response</var> to a <span>network error</span>.</p></li>
<li><p>Otherwise, if <var>response</var> has a <span
data-x="concept-response-location-url">location URL</span> that is a <span>URL</span> whose <span
data-x="concept-url-scheme">scheme</span> is "<code data-x="">blob</code>", "<code

0 comments on commit 45ddbd2

Please sign in to comment.