-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move cross-origin opener policy into policy container #9149
base: main
Are you sure you want to change the base?
Conversation
@domenic Please note when I started this PR I was on vacation and I hastily wrote down this unfinished note (that I've since removed). Upon looking at it more today, I couldn't finish it because I'm not sure what case I had in mind that supposedly warranted a note. Besides the error document case, do you know of any situation where we wouldn't use the returned navigation params's COOP for the resulting document? |
It should just be the #read-ua-inline case, yeah. (Which is also for PDF viewers or some other pages.) I don't think that needs special mention. In general I think this PR is good but the number of places where we don't do the natural COOP inheritance is a bit worrying. I appreciate wanting to do a pure cleanup, but we should at least open an issue to track those. From what I can see they are:
I'd like @antosart's thoughts on this, and also his review of this PR. |
Thanks, I left a few comments. In general, I think it would be good to encapsulate the inheritance logic inside the policy container creation/inheritance algorithms. As for how COOP inheritance should behave, I honestly do not know. I was having a look at chromium source code, and there I have the impression that we never use the response header's COOP for subframes (instead we inherit from the parent if same-origin, and use a new COOP if not). I also don't see srcdoc treated specially there. I think that @camillelamy and @hemeryar thought a lot about COOP inheritance, so they might have some input? |
Hmm, are your comments in a draft maybe? I can't see them.
Does this imply that implementation-wise we just inherit COOP normally from the parent in the srcdoc case? If so then we should probably make the spec do that too. But I'm curious: what are the observable effects of this? Help me walk through a few scenarios so I can get it right in my head.
Does that sound right? EditI've crossed-out the second scenario after realizing that we DO NOT do COOP inheritance for cross-origin iframes period. So that scenario is not relevant. |
source
Outdated
@@ -93304,6 +93294,9 @@ location.href = '#foo';</code></pre> | |||
<var>navigable</var>'s <span data-x="nav-container-document">container document</span>'s <span | |||
data-x="concept-document-policy-container">policy container</span>, and null.</p></li> | |||
|
|||
<li><p>Set <var>policyContainer</var>'s <span data-x="policy-container-coop">cross-origin opener |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we drop this and just always initialize policy container's coop to a new coop (instead of inheriting as we do for the other policies)? This would seem to match the current state of things.
If not, I think it would be preferable to handle this logic inside "determining navigation params policy container", and having a switch there: if the document's url is about:srcdoc, then don't inherit coop. Although I don't understand why srcdoc should be special (as opposed to, e.g., an empty document).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we drop this and just always initialize policy container's coop to a new coop
I'm confused, isn't that what this line is doing? <var>coop</var>
is a new coop, so what this PR does is always initialize the policy container's COOP to a new COOP, instead of inheriting ever. But it sounds like we maybe shouldn't special-case about:srcdoc here, and should maybe conditionally clear policyContainer's COOP based on same-origin-ness (about:srcdoc can be cross-origin via responseOrigin due to sandbox flags). In that sense this is quite similar to https://github.com/whatwg/html/pull/9149/files#r1189506835 which handles the <embed>
case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was just trying to say that, before your PR, I don't see any other place where we would inherit COOP according to policy container rules. For example, if A creates a data url child iframe, I don't think there is any mechanism, before your PR, to have the data url iframe inherit COOP from A. Your PR changes that, because the general policy container inheritance mechanism kicks in. So I am just saying, if we want to make this PR a no-op, would it make sense to change the inheritance algorithm of the policy container so that COOP is never inherited? This would avoid the special handling of srcdoc here. And we could sort out the correct inheritance in a separate PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sorry, I forgot to submit the review
@domfarolino what you write makes sense to me, but I don't see how it is specific to srcdoc (in fact, I wonder when the COOP of a child frame is actually observable). I can't find any WPTs specific to srcdoc under html/cross-origin-opener-policy. As said, I am not an expert here. I could invest the time to learn more, but it probably makes more sense if @camillelamy, @hemeryar or @ArthurSonzogni chime in. |
Hey there! I haven't read the patch but can give some extra info:
Hope that helps, |
…dering of navigation params members
d6ff17c
to
4323b16
Compare
I've filed #9277 to continue discussion and spec progress on the three cases of probably-wrong inheritance that I we've identified here. Handling those separately from this PR sounds good to me if it's OK with everyone else. This PR now adds XXX boxes pointing to that issue in each of the three inheritance cases.
Can you clarify the last part of that question? If it helps, this is the part of the spec that computes the response policy container and COOP enforcement: https://html.spec.whatwg.org/multipage/browsing-the-web.html#create-navigation-params-by-fetching:~:text=Set%20responsePolicyContainer%20to,error%20and%20break.
|
source
Outdated
@@ -90435,13 +90439,12 @@ interface <dfn interface>BeforeUnloadEvent</dfn> : <span>Event</span> { | |||
<var>creator</var>'s <span data-x="concept-document-policy-container">policy | |||
container</span>.</p></li> | |||
|
|||
<li><p>If <var>creator</var>'s <span data-x="concept-document-origin">origin</span> is | |||
<li><p>If <var>creator</var>'s <span data-x="concept-document-origin">origin</span> is not |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Consider the following example:
- A1
a.test
(top-level), with COOP (set by response headers) COOP-a1 - A2
a.test
(child iframe of A1), with COOP (set by response headers - has no effects because this is a child iframe, but still) COOP-a2 - A2 does
window.open()
and opens A3about:blank
(popup)
Before this PR: A3 gets COOP COOP-a1
After this PR: A3 gets COOP COOP-a2
I think if we want to fix it using inheritance, we must let A2 inherit from A1 always when it is same-origin (even for non-local schemes). I am not sure what the best approach is though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah good catch. The current spec's setup of always honoring the COOP headers on subframes (even for non-local schemes) and then having popups inherit their COOP from the initiator-subframe's top-level document is kinda odd. I think there are three options:
- Have subframes, regardless of origin, unconditionally inherit their COOP from the top-level, and then make popups conditionally inherit their COOP from creator depending on whether creator is same-origin-with-top
- Have subframes never inherit their creator's COOP, and have popups conditionally inherit their creator's top-level's COOP depending on whether creator is same-origin-with-top
- Have subframes only inherit their COOP from the top-level if they are same-origin-with-top, and then have popups unconditionally inherit their creator's COOP
Personally I prefer (3) since it keeps COOP inheritance logic centralized in one place, and simplifies new browsing context/document creation here since we don't have to check creator/creator's top-level. Then here we can just always clone the policy container which has been properly redacted earlier if necessary. Spec'ing 3 seems to largely depend on the #create-navigation-params-by-fetching AI in #9277. So in the meantime in this PR we could maybe staple on some logic here to preserve the old behavior: conditionally wipe the COOP as we're doing, and otherwise forcibly inherit from creator's top-level's COOP. Then we can solve the real inheritance problem as part of the other issue. WDYT?
source
Outdated
@@ -93304,6 +93294,9 @@ location.href = '#foo';</code></pre> | |||
<var>navigable</var>'s <span data-x="nav-container-document">container document</span>'s <span | |||
data-x="concept-document-policy-container">policy container</span>, and null.</p></li> | |||
|
|||
<li><p>Set <var>policyContainer</var>'s <span data-x="policy-container-coop">cross-origin opener |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was just trying to say that, before your PR, I don't see any other place where we would inherit COOP according to policy container rules. For example, if A creates a data url child iframe, I don't think there is any mechanism, before your PR, to have the data url iframe inherit COOP from A. Your PR changes that, because the general policy container inheritance mechanism kicks in. So I am just saying, if we want to make this PR a no-op, would it make sense to change the inheritance algorithm of the policy container so that COOP is never inherited? This would avoid the special handling of srcdoc here. And we could sort out the correct inheritance in a separate PR.
This PR does two things:
Document
's cross-origin opener policy memberThis change is mostly mechanical with a few exceptions:
/browsers.html ( diff )
/browsing-the-web.html ( diff )
/document-lifecycle.html ( diff )
/document-sequences.html ( diff )
/dom.html ( diff )