Skip to content

Commit

Permalink
Upstream navigation hooks from CSP
Browse files Browse the repository at this point in the history
This will enable implementation of 'frame-ancestors' and 'form-action', and makes a bit of progress towards #1230.
  • Loading branch information
mikewest authored and annevk committed Aug 18, 2016
1 parent bae9fc5 commit 2083b00
Showing 1 changed file with 64 additions and 25 deletions.
89 changes: 64 additions & 25 deletions source
Original file line number Diff line number Diff line change
Expand Up @@ -3942,6 +3942,8 @@ a.setAttribute('href', 'http://example.com/'); // change the content attribute d
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#initialize-global-object-csp">Initialize a global object's CSP list</dfn> algorithm</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#initialize-document-csp">Initialize a Document's CSP list</dfn> algorithm</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#should-block-inline">Should element's inline behavior be blocked by Content Security Policy?</dfn> algorithm</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#should-block-navigation-request">Should navigation request of type from source in target be blocked by Content Security Policy?</dfn> algorithm</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#should-block-navigation-response">Should navigation response to navigation request of type from source in target be blocked by Content Security Policy?</dfn> algorithm</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#report-uri"><code data-x="">report-uri</code> directive</dfn></li>
<li>The <dfn data-noexport="" data-x="csp-EnsureCSPDoesNotBlockStringCompilation" data-x-href="https://w3c.github.io/webappsec-csp/#can-compile-strings">EnsureCSPDoesNotBlockStringCompilation</dfn> abstract operation</li>
<li>The <dfn data-noexport="" data-x-href="https://w3c.github.io/webappsec-csp/#allow-base-for-document">Is base allowed for Document?</dfn> algorithm</li>
Expand Down Expand Up @@ -81893,6 +81895,11 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O

</li>

<li><p>Let <var>navigationType</var> be "<code data-x="">form-submission</code>" if the <span
data-x="navigate">navigation algorithm</span> was invoked as a result of the <span
data-x="concept-form-submit">form submission algorithm</span>, and "<code data-x="">other</code>"
otherwise.</p></li>

<li><p>Return to whatever algorithm invoked the navigation steps and continue running these steps
<span>in parallel</span>.</p></li>

Expand All @@ -81904,7 +81911,8 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
<dl>

<dt>If <var>resource</var> is a <span data-x="concept-response">response</span></dt>
<dd><p>Run <span>process a navigate response</span> with <var>resource</var> and
<dd><p>Run <span>process a navigate response</span> with null, <var>resource</var>,
<var>navigationType</var>, the <span>source browsing context</span>, and
<var>browsingContext</var>, and then abort these steps.</p></dd>

<dt>If <var>resource</var> is a <span data-x="concept-request">request</span> whose <span
Expand Down Expand Up @@ -81987,7 +81995,8 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
the <span>override URL</span>.</p>
</li>

<li><p>Run <span>process a navigate response</span> with <var>response</var> and
<li><p>Run <span>process a navigate response</span> with <var>resource</var>,
<var>response</var>, <var>navigationType</var>, the <span>source browsing context</span>, and
<var>browsingContext</var>, and then abort these steps.</p></li>
</ol>

Expand Down Expand Up @@ -82042,8 +82051,8 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
<dt>If <var>resource</var> is a <span data-x="concept-request">request</span> whose <span
data-x="concept-request-url">url</span>'s <span data-x="concept-url-scheme">scheme</span>
is a <span>fetch scheme</span></dt>
<dd><p>Run <span>process a navigate fetch</span> given <var>resource</var> and
<var>browsingContext</var>.</p></dd>
<dd><p>Run <span>process a navigate fetch</span> given <var>resource</var>, the <span>source
browsing context</span>, and <var>browsing context</var>, and <var>type</var>.</p></dd>

<dt>Otherwise, <var>resource</var> is a <span data-x="concept-request">request</span> whose
<span data-x="concept-request-url">url</span>'s <span data-x="concept-url-scheme">scheme</span>
Expand All @@ -82056,14 +82065,15 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
</ol>

<p>To <dfn data-export="">process a navigate fetch</dfn>, given a <span
data-x="concept-request">request</span> <var>request</var> and <span>browsing context</span>
<var>browsingContext</var>, run these steps:</p>
data-x="concept-request">request</span> <var>request</var>, <span>browsing context</span>
<var>sourceBrowsingContext</var>, <span>browsing context</span> <var>browsingContext</var>, and
string <var>type</var>, run these steps:</p>

<ol>
<li><p>Let <var>response</var> be null.</p></li>

<li><p>Set <var>request</var>'s <span data-x="concept-request-client">client</span> to the
<span>source browsing context</span>'s <span>active document</span>'s <span>relevant settings
<li><p>Set <var>request</var>'s <span data-x="concept-request-client">client</span> to
<var>sourceBrowsingContext</var>'s <span>active document</span>'s <span>relevant settings
object</span>, <span data-x="concept-request-target-browsing-context">target browsing
context</span> to <var>browsingContext</var>, <span
data-x="concept-request-destination">destination</span> to "<code data-x="">document</code>",
Expand All @@ -82076,23 +82086,35 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
<li><p>Set <var>request</var>'s <span>omit-<code>Origin</code>-header flag</span>.

<li><p>If <var>request</var>'s <span data-x="concept-request-method">method</span> is not `<code
data-x="">GET</code>`, or, if the <span data-x="navigate">navigation algorithm</span> was invoked
as a result of the <span data-x="concept-form-submit">form submission algorithm</span>, then if
there is an <span>origin</span> of the <span>active document</span> of the <span>source browsing
context</span>, unset <var>request</var>'s <span>omit-<code>Origin</code>-header
flag</span>.</p></li>
data-x="">GET</code>`, or, if <var>type</var> is "<code data-x="">form-submission</code>", then
if there is an <span>origin</span> of the <span>active document</span> of
<var>sourceBrowsingContext</var>, unset <var>request</var>'s
<span>omit-<code>Origin</code>-header flag</span>.</p></li>

<li><p>Otherwise, if <var>browsingContext</var> is a <span>child browsing context</span>, and the
<span>browsing context container</span> of <var>browsingContext</var> has a <span>browsing
context scope origin</span>, set <var>request</var>'s <span
data-x="concept-request-origin">origin</span> to that <span>browsing context scope origin</span>
and unset <var>request</var>'s <span>omit-<code>Origin</code>-header flag</span>.</p></li>

<!--FETCH--><li><p><span data-x="concept-fetch">Fetch</span> <var>request</var>.</p></li>
<li>
<p>If the <span>Should navigation request of type from source in target be blocked by Content
Security Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when executed upon
<var>request</var>, <var>navigationType</var>, <var>sourceBrowsingContext</var>, and
<var>browsingContext</var>, then set <var>response</var> to a network error.
<ref spec="CSP"></p>

<p>Otherwise:</p>

<ol>
<!--FETCH--><li><p><span data-x="concept-fetch">Fetch</span> <var>request</var>.</p></li>

<li><p>Wait for the <span data-x="concept-task">task</span> on the <span>networking task
source</span> to <span>process response</span> and set <var>response</var> to the
result.</p></li>
</ol>
</li>

<li><p>Wait for the <span data-x="concept-task">task</span> on the <span>networking task
source</span> to <span>process response</span> and set <var>response</var> to the
result.</p></li>

<li id="navigate-redirect-step">
<p>If <var>response</var> has a <span data-x="concept-response-location-url">location URL</span>
Expand All @@ -82117,7 +82139,8 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
data-x="concept-url-scheme">scheme</span> is a <span>fetch scheme</span>, then run
<span>process a navigate fetch</span> with a new <span data-x="concept-request">request</span>
whose <span data-x="concept-request-url">url</span> is <var>response</var>'s <span
data-x="concept-response-location-url">location URL</span>.
data-x="concept-response-location-url">location URL</span>, <var>sourceBrowsingContext</var>,
<var>browsingContext</var>, and <var>type</var>.

<li><p>Otherwise, if <var>response</var> has a <span
data-x="concept-response-location-url">location URL</span> that is a <span>URL</span>, run the
Expand Down Expand Up @@ -82185,20 +82208,36 @@ State: &lt;OUTPUT NAME=I>1&lt;/OUTPUT> &lt;INPUT VALUE="Increment" TYPE=BUTTON O
the fallback response actually is.</p>
</li>

<li><p>Run <span>process a navigate response</span> given <var>response</var> and
<li><p>Run <span>process a navigate response</span> given <var>request</var>,
<var>response</var>, <var>navigationType</var>, the <span>source browsing context</span>, and
<var>browsingContext</var>.</p></li>
</ol>

<p>To <dfn data-export="">process a navigate response</dfn>, given a <span
data-x="concept-response">response</span> <var>response</var> and <span>browsing context</span>
<var>browsingContext</var>, run these steps:</p>
data-x="concept-request">request</span> <var>request</var>, a <span
data-x="concept-response">response</span> <var>response</var>, a string <var>type</var>, and two
<span>browsing contexts</span> <var>source</var> and <var>browsingContext</var>, run these
steps:</p>

<ol>
<li>
<p>If <var>response</var> is a network error, then <span
data-x="navigate-ua-inline">display the inline content with an appropriate error shown to the
user</span>, with the newly created <code>Document</code> object's <span>origin</span> set to a
new <span data-x="concept-origin-opaque">opaque origin</span>, and abort these steps.</p>
<p>If any of the following are true, then <span data-x="navigate-ua-inline">display the inline
content with an appropriate error shown to the user</span>, with the newly created
<code>Document</code> object's <span>origin</span> set to a new <span
data-x="concept-origin-opaque">opaque origin</span>, and abort these steps.</p>

<ul>
<li><p><var>response</var> is a network error.</p></li>

<li><p class="&#x0058;&#x0058;&#x0058;">TODO: Define <code data-x="">X-Frame-Options</code>
processing here [<a
href="https://github.com/whatwg/html/issue/1230">whatwg/html#1230</a>].</p></li>

<li><p>The <span>Should navigation response to navigation request of type from source in target
be blocked by Content Security Policy?</span> algorithm returns "<code
data-x="">Blocked</code>" when executed upon <var>request</var>, <var>response</var>,
<var>type</var>, <var>source</var>, and <var>browsingContext</var>. <ref spec="CSP"></p></li>
</ul>

<p class="note">This is where the network errors defined and propagated by the WHATWG Fetch
standard, such as DNS or TLS errors, end up being displayed to users. <ref spec=FETCH></p>
Expand Down

0 comments on commit 2083b00

Please sign in to comment.