Skip to content
Permalink
Browse files

Pass parser metadata to Fetch

In order for CSP to correctly implement the 'unsafe-dynamic' source expression, HTML needs to teach Fetch about the parser-insertedness that ought to be associated with script requests.

See w3c/webappsec-csp#70 for context.

The Fetch side of this patch is whatwg/fetch#285.
  • Loading branch information...
mikewest authored and annevk committed Apr 15, 2016
1 parent 6412172 commit e6500b90244376c023e7b78642dbc7b86829233f
Showing with 48 additions and 24 deletions.
  1. +48 −24 source
72 source
<li><dfn data-noexport="" data-x="concept-request-cache-mode" data-x-href="https://fetch.spec.whatwg.org/#concept-request-cache-mode">cache mode</dfn>
<li><dfn data-noexport="" data-x="concept-request-redirect-mode" data-x-href="https://fetch.spec.whatwg.org/#concept-request-redirect-mode">redirect mode</dfn>
<li><dfn data-noexport="" data-x="concept-request-nonce-metadata" data-x-href="https://fetch.spec.whatwg.org/#concept-request-nonce-metadata">cryptographic nonce metadata</dfn>
<li><dfn data-noexport="" data-x="concept-request-parser-metadata" data-x-href="https://fetch.spec.whatwg.org/#concept-request-parser-metadata">parser metadata</dfn>
</ul>
</ul>


</li>

<li><p>Let <var>parser state</var> be "<code data-x="">parser-inserted</code>" if the
<code>script</code> element has been flagged as <span>"parser-inserted"</span>, and
"<code data-x="">not parser-inserted</code>" otherwise.</p></li>

<li><p>Let <var>settings</var> be the element's <span>node document</span>'s
<code>Window</code> object's <span>environment settings object</span>.</p></li>

<dt>"<code data-x="">classic</code>"</dt>
<dd>
<p><span>Fetch a classic script</span> given <var>url</var>, <var>CORS setting</var>,
<var>cryptographic nonce</var>, <var>settings</var>, and <var>encoding</var>.</p>
<var>cryptographic nonce</var>, <var>parser state</var>, <var>settings</var>, and
<var>encoding</var>.</p>
</dd>

<dt>"<code data-x="">module</code>"</dt>
</li>

<li><p><span>Fetch a module script tree</span> given <var>url</var>, <var>credentials
mode</var>, <var>cryptographic nonce</var>, "<code data-x="">script</code>", and
<var>settings</var>.</p></li>
mode</var>, <var>cryptographic nonce</var>, <var>parser state</var>, "<code
data-x="">script</code>", and <var>settings</var>.</p></li>
</ol>
</dd>
</dl>

</dd>

<dt>A <dfn data-x="concept-module-script-parser">parser state</dfn></dt>

<dd>

<p>The <span data-x="concept-request-parser-metadata">parser metadata</span> used to fetch
imported modules.</p>

</dd>

</dl>

<hr>
algorithms with its own options for the hooks. <ref spec=SW></p>

<p>To <dfn>fetch a classic script</dfn> for a <code>script</code> element <var>element</var>,
given a <var>url</var>, a <var>CORS setting</var>, a <var>cryptographic nonce</var>, a
<var>settings object</var>, and a <var>character encoding</var>, run these steps. The algorithm
will asynchronously complete with either null (on failure) or a new <span>classic script</span>
(on success).</p>
given a <var>url</var>, a <var>CORS setting</var>, a <var>cryptographic nonce</var>, a <var>parser
state</var>, a <var>settings object</var>, and a <var>character encoding</var>, run these steps.
The algorithm will asynchronously complete with either null (on failure) or a new <span>classic
script</span> (on success).</p>

<ol>
<li><p>Let <var>request</var> be the result of <span data-x="create a potential-CORS
<li><p>Set <var>request</var>'s <span data-x="concept-request-client">client</span> to
<var>settings object</var>, its <span data-x="concept-request-type">type</span> to "<code
data-x="">script</code>", its <span data-x="concept-request-destination">destination</span>
to "<code data-x="">script</code>", and its <span
to "<code data-x="">script</code>", its <span
data-x="concept-request-nonce-metadata">cryptographic nonce metadata</span> to
<var>cryptographic nonce</var>.</p></li>
<var>cryptographic nonce</var>, and its <span data-x="concept-request-parser-metadata">parser
metadata</span> to <var>parser state</var>.</p></li>

<li><p>If the caller specified custom steps to <span data-x="fetching-scripts-set-up-request">set
up the request</span>, perform them on <var>request</var>.</p></li>
data-x="concept-request-referrer">referrer</span> is <var>referrer</var>, <span
data-x="concept-request-mode">mode</span> is "<code data-x="">same-origin</code>", <span
data-x="concept-request-credentials-mode">credentials mode</span> is "<code
data-x="">same-origin</code>", and whose <span>use-URL-credentials flag</span> is set.</p></li>
data-x="">same-origin</code>", <span data-x="concept-request-parser-metadata">parser
metadata</span> is "<code data-x="">not parser-inserted</code>", and whose
<span>use-URL-credentials flag</span> is set.</p></li>

<li><p>If the caller specified custom steps to <span data-x="fetching-scripts-set-up-request">set
up the request</span>, perform them on <var>request</var>.</p></li>
</ol>

<p>To <dfn>fetch a module script tree</dfn> given a <var>url</var>, a <var>credentials mode</var>,
a <var>cryptographic nonce</var>, a <var>destination</var>, a <var>settings object</var>, and an
optional <var>ancestor list</var>, run these steps. The algorithm will asynchronously complete with
either null (on failure) or a <span>module script</span> (on success).</p>
a <var>cryptographic nonce</var>, a <var>parser state</var>, a <var>destination</var>, a
<var>settings object</var>, and an optional <var>ancestor list</var>, run these steps. The
algorithm will asynchronously complete with either null (on failure) or a <span>module
script</span> (on success).</p>

<ol>
<li><p>If <var>ancestor list</var> is not given, let it be an empty list.</p></li>

<li><p><span>Fetch a single module script</span> given <var>url</var>, <var>credentials
mode</var>, <var>cryptographic nonce</var>, <var>destination</var>, and <var>settings
object</var>. If the caller of this algorithm specified custom <span
mode</var>, <var>cryptographic nonce</var>, <var>parser state</var>, <var>destination</var>, and
<var>settings object</var>. If the caller of this algorithm specified custom <span
data-x="fetching-scripts-set-up-request">set up the request</span> or <span
data-x="fetching-scripts-process-response">process the response</span> steps, pass those along
while <span data-x="fetch a single module script">fetching a single module script</span>.</p>
<var>url</var>, <var>module script</var>'s <span
data-x="concept-module-script-credentials-mode">credentials mode</span>, <var>module
script</var>'s <span data-x="concept-module-script-nonce">cryptographic nonce</span>,
<var>module script</var>'s <span data-x="concept-module-script-parser">parser state</span>,
<var>destination</var>, <var>module script</var>'s <span>settings object</span>, and
<var>ancestor list</var>.</p>

</ol>

<p>To <dfn>fetch a single module script</dfn>, given a <var>url</var>, a <var>credentials
mode</var>, a <var>cryptographic nonce</var>, a <var>destination</var>, and a <var>settings
object</var>, run these steps. The algorithm will asynchronously complete with either null (on
failure) or a <span>module script</span> (on success).</p>
mode</var>, a <var>cryptographic nonce</var>, a <var>parser state</var>, a <var>destination</var>,
and a <var>settings object</var>, run these steps. The algorithm will asynchronously complete with
either null (on failure) or a <span>module script</span> (on success).</p>

<ol>
<li><p>Let <var>module map</var> be <var>settings</var>'s <span>module map</span>.</p></li>
data-x="concept-request-mode">mode</span> is "<code data-x="">cors</code>", <span
data-x="concept-request-credentials-mode">credentials mode</span> is <var>credentials
mode</var>, <span data-x="concept-request-nonce-metadata">cryptographic nonce metadata</span> is
<var>cryptographic nonce</var>, and <span data-x="concept-request-client">client</span> is
<var>settings object</var>.</p></li>
<var>cryptographic nonce</var>, <span data-x="concept-request-parser-metadata">parser
metadata</span> is <var>parser state</var>and <span data-x="concept-request-client">client</span>
is <var>settings object</var>.</p></li>

<li><p>If the caller specified custom steps to <span data-x="fetching-scripts-set-up-request">set
up the request</span>, perform them on <var>request</var>.</p></li>
</ol>

<p>To <dfn data-x="creating a module script">create a module script</dfn>, given some script
source, an <span>environment settings object</span>, a script base URL, a credentials mode, and
a cryptographic nonce:</p>
source, an <span>environment settings object</span>, a script base URL, a credentials mode, a
cryptographic nonce, and a parser state:</p>

<ol>

<li><p>Set <var>script</var>'s <span data-x="concept-module-script-nonce">cryptographic
nonce</span> to the cryptographic nonce provided.</p></li>

<li><p>Set <var>script</var>'s <span data-x="concept-module-script-parser">parser state</span>
to the parser state.</p></li>

<li><p>Return <var>script</var>.</p></li>

</ol>
<dt>"<code data-x="">module</code>"</dt>
<dd><span>Fetch a module script tree</span> given <var>url</var>, the value of the <code
data-x="">credentials</code> member of <var>options</var>, the empty string (as no
<var>cryptographic nonce</var> is present for workers), <var>destination</var>, and
<var>settings object</var>.</dd>
<var>cryptographic nonce</var> is present for workers), "<code data-x="">not
parser-inserted</code>", <var>destination</var>, and <var>settings object</var>.</dd>
</dl>

<p>In both cases, to <span data-x="fetching-scripts-process-response">process the

0 comments on commit e6500b9

Please sign in to comment.
You can’t perform that action at this time.