From 0c7ee8550323772d462e44170798a3732bdbf596 Mon Sep 17 00:00:00 2001 From: Camille Lamy Date: Tue, 3 Mar 2020 17:48:11 +0100 Subject: [PATCH] Add cross-origin opener policy Tests: https://github.com/web-platform-tests/wpt/tree/master/html/cross-origin-opener-policy Closes: #4580 Fix formatting issues Fix some more formatting issues Addressed code review comments Addressed comments Addressed comments --- source | 289 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 284 insertions(+), 5 deletions(-) diff --git a/source b/source index 9c6096db27a..e7efd21b0bf 100644 --- a/source +++ b/source @@ -2750,6 +2750,9 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
  • history-navigation flag
    • +
  • Getting a header + from a header list.

    • The following terms are defined in Referrer Policy: +

    Cross-Origin Embedder Policy
    + +
    +

    The following feature is defined in Cross-Origin Embedder Policy:

    + + +
    +
    @@ -9356,6 +9372,11 @@ partial interface Document { data-x="concept-document-module-map">module map, which is a module map, initially empty.

    +

    The Document has a cross-origin opener policy, which is a + cross-origin opener policy, + initially "unsafe-none".

    +

    The DocumentOrShadowRoot interface

    DOM defines the setting up a window environment settings object given realm execution context and topLevelOrigin.

    +

  • Let COOP be a cross-origin-opener-policy with value "unsafe-none".

    • + +

  • If creator is non-null and creator is + same origin with its top-level browsing context's + Document, then set COOP to creator's + top-level browsing context's Document's cross-origin opener policy.

    • +

  • Let document be a new Document, marked as an HTML document in quirks mode, whose content type is "text/html", origin is origin, active sandboxing flag set is sandboxFlags, feature policy is - feature policy, and which is both ready for post-load tasks and - completely loaded immediately.

    • + feature policy, cross-origin opener policy + is COOP, and which is both ready for post-load tasks and completely + loaded immediately.

  • Ensure that document has a single child html node, which itself has two empty child nodes: a head element, and a body element.

    • @@ -79879,6 +79911,12 @@ console.assert(iframeWindow.frameElement === null); keys to agent clusters). User agents are responsible for collecting agent clusters when it is deemed that nothing can access them anymore.

    +

    A browsing context group has a cross-origin + isolated boolean. It is initially false.

    + +

    The impact of cross-origin isolated is + under discussion in issue #4734.

    +

    To create a new browsing context group, run these steps:

    @@ -80177,6 +80215,28 @@ console.assert(iframeWindow.frameElement === null);
      +
    1. +

      If current's top-level browsing context's active + document's cross-origin opener + policy is "same-origin" or "same-origin-plus-COEP", then:

      + +
        +

      1. Let currentDocument be current's + active document.

        2. + +
      2. +

        If currentDocument's origin is not same origin + with current's top-level browsing context's active + document 's origin, then set noopener to true and + name to "_blank".

        + +

        In the presence of COOP, nested documents cross-origin with their + top-level browsing context always set /noopener/.

        +
        3. +
      +
      2. +

    2. Set new to true.

    3. If noopener is true, then set chosen to the result @@ -82720,6 +82780,159 @@ interface BarProp { +

      Cross-origin opener policy

      + +

      A cross-origin opener policy restricts the set + of browsing contexts which can live together in a single + browsing context group. It has one of the following values, defaulting to "unsafe-none" unless otherwise specified:

      + +
        +

      • "same-origin-plus-COEP"

        • + +

      • "same-origin"

        • + +

      • "same-origin-allow-popups"

        • + +

      • "unsafe-none"

        • + +

      • "same-origin-plus-COEP" cannot be directly set via the + `Cross-Origin-Opener-Policy` header, but + results from a combination of setting both Cross-Origin-Opener-Policy: same-origin + and Cross-Origin-Embedder-Policy: require-corp together. +

      + +

      To obtain a cross-origin opener policy from a response response and an environment + environment:

      + +
        +

      1. Let securityState be the result of executing Is environment + settings object a secure context? on environment.

        2. + +

      2. If securityState is "Not Secure", then return "unsafe-none".

        3. + +

      3. Let value be the result of getting + `Cross-Origin-Opener-Policy` from + response's header list.

        4. + +

      4. If value is null, then return "unsafe-none".

        5. + +

      5. Let decodedValue be the isomorphic + decoding of value

        6. + +

      6. If decodedValue is not "same-origin" or "same-origin-allow-popups", then return "unsafe-none".

        7. + +

      7. If decodedValue is "same-origin", then:

        + +
          +

        1. Let coep be the result of obtaining a cross-origin embedder policy from + response.

          2. + +

        2. If coep is "require-corp", then return "same-origin-plus-COEP".

          3. +
        +
        8. + +

      8. Return decodedValue

        9. +
      + +

      To match cross-origin opener policies, given a COOP A, an origin + originA, a COOP B and an + origin originB:

      + +
        +

      1. If A is "unsafe-none" and B is "unsafe-none", then return true.

        2. + +

      2. If A or B is "unsafe-none", then return + false.

        3. + +

      3. If A is the same value as B and + originA is same origin with originB, then + return true.

        4. + +

      4. Return false.

        5. +
      + +

      To obtain a browsing context to use for a + navigation response, given a response + response, a browsing context + browsingContext, a sandboxing flag set sandboxFlags, two origins incumbentNavigationOrigin, + activeDocumentNavigationOrigin,and a cross-origin opener policy + responseCOOP:

      + +
        +

      1. Let activeDocumentCOOP be the + cross-origin opener policy of currentBrowsingContext's active + document .

        2. + +

      2. If the result of matching + activeDocumentCOOP, activeDocumentNavigationOrigin, + responseCOOP and incumbentNavigationOrigin is true, return + browsingContext.

        3. + +
      3. +

        If all of the following are true:

        + +
          +

        • currentBrowsingContext's only entry in its session history is + the about:blank Document that was added when + browsingContext was created.

          • + +

        • activeDocumentCOOP is "same-origin-allow-popups".

          • + +

        • responseCOOP is "unsafe-none".

          • +
        + +

        then return browsingContext.

        +
        4. + +

      4. Let newBrowsingContextGroup be the result of creating a new + browsing context group.

        5. + +

      5. If responseCOOP is "same-origin-plus-COEP", then set + newBrowsingContextGroup cross-origin + isolated to true.

        6. + +

      6. Let newBrowsingContext be the result of creating a new browsingContext in newBrowsingContextGroup.

        7. + +
      7. +

        If sandboxFlags is not empty, then:

        +
          +

        1. Assert responseCOOP is "unsafe-none".

          2. + +

        2. Set newBrowsingContext's sandboxing flag set to + sandboxFlags.

          3. +
        +
        8. + +
      8. +

        Discard + currentBrowsingContext.

        + +

        This does not close currentBrowsingContext's browsing context + group except if it was the sole top-level browsing context in which case it could be + collected

        +
        9. + +

      9. Return newBrowsingContext.

        10. +
      + +

      The impact of swapping browsing context groups following a navigation is not + defined. It is currently under discussion in issue 5350.

      +

      Session history and navigation

      The session history of browsing contexts

      @@ -85117,11 +85330,51 @@ interface Location { // but see also unsafe-none      ".

      4. + +

    4. If browsingContext is a top-level browsing + context, then:

      + +
        +

      1. Set incumbentCOOP be the cross-origin opener policy obtained given response and + reservedEnvironment.

        2. + +
      2. +

        If sandboxFlags is not empty and incumbentCOOP is not "unsafe-none", then display the inline + content with an appropriate error shown to the user, with the newly created + Document object's origin set to a new opaque origin, run the environment discarding steps for reservedEnvironment, and + return.

        + +

        This results in a network error as one cannot simultaneously provide a clean + slate to a response using cross-origin opener policy and sandbox the result of navigating to + that response.

        +
        3. + +

      3. Let newBrowsingContext be the value of obtaining a browsing context for the navigation + response given response, browsingContext, sandboxFlags, + incumbentNavigationOrigin, activeDocumentNavigationOrigin, and + incumbentCOOP.

        4. + +

      4. Let browsingContextSwitch be false.

        5. + +

      5. If newBrowsingContext is not equal to browsingContext, then set + browsingContextSwitch to true.

        6. + +

      6. Set browsingContext to the value of newBrowsingContext.

        7. +
      +
      5. +

    5. If browsingContext's only entry in its session history is the about:blank Document that was added when browsingContext was created, and navigation is occurring with replacement enabled, and that Document has the same origin - as origin, then do nothing.

      6. + as origin, and browsingContextSwitch is false, then do nothing.

    6. Otherwise:

      @@ -85163,8 +85416,9 @@ interface Location { // but see also       type is type, content type is contentType, origin is origin, feature - policy is featurePolicy, and active sandboxing flag set is - finalSandboxFlags.

      7. + policy is featurePolicy, active sandboxing flag set is + finalSandboxFlags, and cross-origin opener + policy is incumbentCOOP.

    7. If request is non-null, then set document's URL to request's @@ -120192,6 +120446,27 @@ interface External { +

      `Cross-Origin-Opener-Policy`

      + +

      This section describes a header for registration in the Permanent Message Header Field + Registry.

      + +
      +
      Header field name:
      +
      Cross-Origin-Opener-Policy
      +
      Applicable protocol:
      +
      http
      +
      Status:
      +
      standard
      +
      Author/Change controller:
      +
      WHATWG
      +
      Specification document(s):
      +
      + This document is the relevant specification. +
      +
      Related information:
      +
      None.
      +

      Index

      @@ -124725,6 +125000,10 @@ INSERT INTERFACES HERE
      [COMPUTABLE]
      (Non-normative) On computable numbers, with an application to the Entscheidungsproblem, A. Turing. In Proceedings of the London Mathematical Society, series 2, volume 42, pages 230-265. London Mathematical Society, 1937.
      +
      [COEP]
      +
      Cross-Origin Embedder Policy, M. + West.
      +
      [COOKIES]
      HTTP State Management Mechanism, A. Barth. IETF.