-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Navigation sourceDocument for browser-initiated navigations #9133
Comments
Here is a fun fact! If you navigate to |
Yeah I like the idea of making the initiator origin opaque in this case in general, but I'm curious what other browsers are doing here, and if it's observable in any other ways we're missing. But...
...I can glean a little bit about what browsers are doing by looking at the external protocol case specifically. For example, when I navigate with browser UI to I'm not seeing any other interesting observable effects between using opaque origins vs origins derived in HTML, but I'd definitely like to know more about the Fetch implications. At least I don't think we have to worry about any "tainting", since it seems like the mode="navigate" case is handled specially for that, and I don't think we ever send the Fetch client being null and manually filling in the other bits sounds good to me. At least it won't mess with the fetch task queueing stuff since we're already using
Great find. It's a little surprising that we literally just run the JS in the currently active document of the target navigable, but I guess procedurally that does make sense, and I suppose is fine from a security perspective since the user is making all of these actions. |
I think I mentioned this at some point and you assured me there was always a document. 😊 Manually filling in bits makes sense to me, but Fetch might also need some changes as it doesn't really do well when there is no client. I'm also not sure about the origin field. |
Currently the navigate algorithm assumes it is always passed a sourceDocument. This is used for:
some-external-app://foo
)Sec-Fetch-User
;Content-Disposition: attachment
will succeed;However, for browser UI-initiated navigations, we don't set any sourceDocument. So, that's bad; many algorithms are actually broken.
You might think we could treat browser UI navigations as if the source document is navigating itself. This works in some cases, e.g., it bypasses the allowed-by-sandboxing check. But it doesn't work for others; e.g., if the user navigates to a
Content-Disposition: attachment
URL, it should work, even if the page currently being displayed has sandboxing flags that disallow downloads.So I think we need to allow sourceDocument to be null for browser UI navigations, and figure out replacements for all of the things derived from it. Ideas:
OK, so the hard ones are initiator origin and fetch client. Ideas:
initiator origin: I think we want a new opaque origin for top-level about:blanks or
javascript:'a string'
. We don't want to tell the user "an opaque origin is attempting to navigate you tosome-external-app://foo
" if the user themselves typed the URL in the URL bar, so we might need a bit of special casing here.fetch client: maybe, leave the client as null and try to fill in the fetch fields directly? Per this section of Fetch, those would be:
I'm willing to put up a PR for this, but I'd love some confirmation that I'm on the right track here before I do. Any thoughts from @annevk @smaug---- @domfarolino @jakearchibald ? Especially @annevk for the Fetch integration questions
The text was updated successfully, but these errors were encountered: