You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I found the following comment in html/cross-origin-opener-policy/navigate-to-aboutblank.https.html WPT test:
Non-initial empty documents (about:blank) should inherit their
cross-origin-opener-policy from the navigation's initiator top level document,
if the initiator and its top level document are same-origin, or default
(unsafe-none) otherwise.
For the first subtest in the test, we have:
A top document of origin A with COOP=same-origin
A child frame of origin A
The child frame opens a new popup to origin A with COOP=same-origin
The child frame navigates the popup to about:blank
The subtest does not expect a browsing context group switch, which I find a bit surprising based on the specification.
Let's consider the final navigation to non-initial "about:blank):
From navigate a fetch (Step 12.5.5):
Set responseOrigin to the result of determining the origin given browsingContext, request's URL, finalSandboxFlags, and incumbentNavigationOrigin.
I believe this would set responseOrigin to origin A (resolved from incumbentNavigationOrigin).
Then step 12.5.6.1 says:
Set responseCOOP to the result of obtaining a cross-origin opener policy given response and request's reserved client.
I believe this would set responseCOOP to 'unsafe-none', no? Since I don't expect the response for about:blank to contain any COOP HTTP header.
If so, this would mean that step 12.5.6.3 would call 'enforcing the response's cross-origin opener policy' and we would decide to do a browsing context group switch. This is because activeDocumentCOOPValue != responseCOOPValue and activeDocumentCOOPValue would be 'same-origin' here.
Am I misinterpreting the spec or is there some text missing in the spec to inherit the responseCOOP from the navigation requester's top document COOP?
The text was updated successfully, but these errors were encountered:
Yes this is not currently well defined in the spec. We're working on the inheritance problem as part of the PolicyContainer effort. We do plan to move COOP to be in the PolicyContainer, and integrate it with the COOP check during navigate a fetch. This should spec the inheritance of COOP as expected in the WPT test. The behavior of the WPT is really what we want to have at the end.
I found the following comment in html/cross-origin-opener-policy/navigate-to-aboutblank.https.html WPT test:
For the first subtest in the test, we have:
The subtest does not expect a browsing context group switch, which I find a bit surprising based on the specification.
Let's consider the final navigation to non-initial "about:blank):
From navigate a fetch (Step 12.5.5):
I believe this would set responseOrigin to origin A (resolved from incumbentNavigationOrigin).
Then step 12.5.6.1 says:
I believe this would set responseCOOP to 'unsafe-none', no? Since I don't expect the response for about:blank to contain any COOP HTTP header.
If so, this would mean that step 12.5.6.3 would call 'enforcing the response's cross-origin opener policy' and we would decide to do a browsing context group switch. This is because activeDocumentCOOPValue != responseCOOPValue and activeDocumentCOOPValue would be 'same-origin' here.
Am I misinterpreting the spec or is there some text missing in the spec to inherit the responseCOOP from the navigation requester's top document COOP?
The text was updated successfully, but these errors were encountered: