Normalize COOP inheritance with policy container #9277
Labels
topic: cross-origin-opener-policy
Issues and ideas around the new "inverse of rel=noopener" header.
topic: policy container
The policy container proposal
#9149 migrates Document's COOP into its policy container, while preserving the behavior of the original spec, however during development we knew about or discovered three odd scenarios where the current COOP inheritance needed to be tampered with outside of the usual policy container inheritance in order to preserve the current spec's possibly-wrong behavior. This bug is to track fixing these three cases in the spec as well as writing their associated tests.
1.) about:srcdoc
about:srcdoc
navigations, however per Move cross-origin opener policy into policy container #9149 (comment), at least Chromium does not seem to distinguish betweenabout:srcdoc
and other iframes when determining if the initial frame's Document should inherit COOP. We should write tests to determine thatabout:srcdoc
COOP inheritance exactly matches that of normal iframes, and change the spec accordingly. This would entail:about:srcdoc
iframesabout:srcdoc
iframe that would normally be same-origin-to-top but isn't specifically because of sandbox flags, just to make sure that all ways of becoming cross-origin are treated the sameI guess we'd have to manually copy this conditional inheritance logic into this special case.
2.) Non-null navigation response (
<embed>
&x-mixed-replace
)I guess we'd have to manually copy this conditional inheritance logic into this special case.
3.) Create navigation params by fetching: scoping responseCOOP
In #create-navigation-params-by-fetching, the current spec unconditionally stuffs responseCOOP in navigation params regardless of which policy container is selected by "determine the navigation params policy container". This seems wrong; instead we should probably scope responseCOOP to responsePolicyContainer. If we do this (i.e., limit the usage of responseCOOP to the usage of responsePolicyContainer), then whenever "determining the navigation params policy container" chooses a policy container other than responsePolicyContainer, the frame would inherit a different COOP than the spec currently gives.
The cases where "determining a navigation params policy container" would not choose responsePolicyContainer is:
about:blank
iframe toabout:blank
and confirm that when it opens up a pop-up, the popup's COOP depends on whether the iframe was same-origin to its top-level.data:
URL iframes just to ensure that their COOP is never inherited when making a pop-up page, since their origin is always opaquelocation.reload()
in the iframe. This will trigger the traversal-initiated entry into #attempt-to-populate and should use the historyPolicyContainer in https://html.spec.whatwg.org/#populating-a-session-history-entry:determining-navigation-params-policy-container-2. If we don't uselocation.reload()
in theabout:blank
iframe, then we'd have to navigate away from the Document and then back, but I don't think we can do this reliably and trigger this logic, due to bf-cache./cc @antosart @hemeryar @camillelamy @domenic
I'm happy to do the spec work for this once #9149 lands. Help with the tests from policy container/COOP experts would be greatly appreciated.
Footnotes
"Parent's" COOP specifically because I don't think an
<embed>
object can have an initiator of any other kind, since there is nocontentWindow
handle or anything. Only asrc
attribute, andsourceDocument
is always the parent Document in the embed navigation case ↩The text was updated successfully, but these errors were encountered: