Make about:srcdoc to inherit PolicyContainer from history.

[ArthurSonzogni]

This is the current behavior of Chrome and Firefox. Safari do not support history navigations at all.

See WPT.
https://wpt.fyi/results/content-security-policy/inheritance/iframe-srcdoc-history-inheritance.html?label=experimental&label=master&aligned

I would like to align the specification and WPTs to match the current browsers behaviors.
See: #6809

• At least two implementers are interested (and none opposed):
  • Chrome: Current behavior.
  • Firefox: Current behavior for CSP. Not for referrer policy, but they have an intention to implement policy container which would naturally make them align with this PR.
  • Webkit: N/A. Safari do not consider about:srcdoc in history entry. It means you can even history-navigate toward them.
• Tests are written and can be reviewed and commented upon at:
  • https://wpt.fyi/results/content-security-policy/inheritance/iframe-srcdoc-history-inheritance.html?label=experimental&label=master&aligned
  • web-platform-tests/wpt@9f14565
• Implementation bugs are filed:
  • Chrome: Already implemented.
  • Firefox: https://bugzilla.mozilla.org/show_bug.cgi?id=1706026 for the general policy container implementation.
  • Safari: I don't know. Safari appears not to support history navigations to about:srcdoc at all. This would be a prerequisite before thinking about this.
  • Deno (only for timers, structured clone, base64 utils, channel messaging, module resolution, web workers, and web storage): N/A
  • Node.js (only for timers, structured clone, base64 utils, channel messaging, and module resolution): N/A

(See WHATWG Working Mode: Changes for more details.)

---

/origin.html ( diff )

[ArthurSonzogni]

Question:
What kind of request for position would you like to see for Chrome/Firefox for aligning the specification with their behavior? What about Safari, who don't have about:srcdoc history navigations (so far)?

@antosart FYI: in case I am missing some changes in the spec.

[domenic]

Thanks!

In general you can assume that browsers which already implement a change, support implementing that change :). So you can check that box.

It would be good to submit a WebKit bug, perhaps for the general area of srcdoc history navigation, with a pointer to any relevant web platform tests. (Especially ones which pass in the two other engines.)

I will wait for @antosart to double-check before merging.

[domenic]

Would you be able to add tests for the other things in the policy container, BTW? Referrer policy at least seems easy enough to test. Maybe embedder policy is not easy to test or does not give a different result anyway due to the consistency guarantees for the frame...

[ArthurSonzogni]

Would you be able to add tests for the other things in the policy container, BTW? Referrer policy at least seems easy enough to test. Maybe embedder policy is not easy to test or does not give a different result anyway due to the consistency guarantees for the frame...

Yes. Good idea! I remember I already reviewed @antosart adding a test for this (Thanks!):
https://wpt.fyi/results/referrer-policy/generic/inheritance/iframe-inheritance-history-about-srcdoc.html?

The test is expecting the new proposed behavior.

That's very interesting. We see Firefox doesn't inherit the referrer policy from history, contrary to CSP.
It means Firefox is not consistent with PolicyContainer. This is not surprising, because Firefox doesn't really use the concept of PolicyContainer and every policies are inherited individually.

I guess this require me to ask Firefox their position. I will do next week!

[domenic]

I think it is OK to treat Firefox's inconsistency here (restoring CSP, and the document itself, but not the referrer policy) as a bug. So we can merge this as-is.