Snapshot sandbox at the start of navigation

This change fixes a race condition where an iframe's sandboxing flag set could be changed in between the start of a navigation and when the response is returned, and the new document created. In that case, it was unclear how the new document could reliably synchronously get the updated flags, or just exactly how late those flags could be changed and still impact the new document. Now, the sandboxing flag set is routed from the beginning of the navigation to the eventual document creation. See #4783 and w3c/webappsec-permissions-policy#256 which outline similar problems for feature policy.
whatwg · Nov 25, 2019 · eb13fec · eb13fec
1 parent 7b4964a
commit eb13fec
Showing 1 changed file with 61 additions and 58 deletions.
diff --git a/source b/source
@@ -78443,8 +78443,8 @@ dictionary <dfn>DragEventInit</dfn> : <span>MouseEventInit</span> {
    <span>creator base URL</span> to return <var>creator</var>'s <span data-x="document base
    URL">base URL</span>.</p></li>
 
-   <li><p>Let <var>sandboxFlags</var> be the result of <span>determining active sandboxing
-   flags</span> given <var>browsingContext</var>.</p></li>
+   <li><p>Let <var>sandboxFlags</var> be the result of <span>determining sandboxing flags</span>
+   given <var>browsingContext</var>.</p></li>
 
    <li id="about-blank-origin"><p>Let <var>origin</var> be the result of <span>determining the
    origin</span> given <var>browsingContext</var>, <code>about:blank</code>,
@@ -81831,10 +81831,10 @@ interface <dfn>BarProp</dfn> {
 
   <hr>
 
-  <p>To <dfn data-x="determining active sandboxing flags">determine active sandboxing flags</dfn>
-  for a <span data-x="concept-document-bc">browsing context</span> <var>browsing context</var> given
-  an optional <var>navigationResource</var>, return the union of the flags that are present in the
-  following <span data-x="sandboxing flag set">sandboxing flag sets</span>:</p>
+  <p>To <dfn data-x="determining sandboxing flags">determine sandboxing flags</dfn> for a <span
+  data-x="concept-document-bc">browsing context</span> <var>browsing context</var>, return the union
+  of the flags that are present in the following <span data-x="sandboxing flag set">sandboxing flag
+  sets</span>:</p>
 
   <ul>
    <li><p>If <var>browsing context</var> is a <span>top-level browsing context</span>, then: the
@@ -81846,9 +81846,6 @@ interface <dfn>BarProp</dfn> {
    <li><p>If <var>browsing context</var> is a <span>nested browsing context</span>, then: the
    flags set on the <span>parent browsing context</span>'s <span>active document</span>'s
    <span>active sandboxing flag set</span>.</p></li>
-
-   <li><p>If <var>navigationResource</var> is given, then: the flags set on
-   <var>navigationResource</var>'s <span>forced sandboxing flag set</span>.</p></li>
   </ul>
 
 
@@ -83654,6 +83651,9 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
    data-x="concept-form-submit">form submission algorithm</span>, and "<code data-x="">other</code>"
    otherwise.</p></li>
 
+   <li><p>Let <var>sandboxFlags</var> be the result of <span>determining sandboxing flags</span>
+   given <var>browsingContext</var>.</p></li>
+
    <li><p>Return to whatever algorithm invoked the navigation steps and continue running these steps
    <span>in parallel</span>.</p></li>
 
@@ -83667,7 +83667,7 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
      <dt>If <var>resource</var> is a <span data-x="concept-response">response</span></dt>
      <dd><p>Run <span>process a navigate response</span> with null, <var>resource</var>,
      <var>navigationType</var>, the <span>source browsing context</span>,
-     <var>browsingContext</var>, <var>incumbentNavigationOrigin</var>, and
+     <var>browsingContext</var>, <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>, and
      <var>activeDocumentNavigationOrigin</var>.</p></dd>
 
      <dt>If <var>resource</var> is a <span data-x="concept-request">request</span> whose <span
@@ -83685,8 +83685,8 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
 
        <li><p>Run <span>process a navigate response</span> with <var>resource</var>,
        <var>response</var>, <var>navigationType</var>, the <span>source browsing context</span>,
-       <var>browsingContext</var>, <var>incumbentNavigationOrigin</var>, and
-       <var>activeDocumentNavigationOrigin</var>.</p></li>
+       <var>browsingContext</var>, <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>,
+       and <var>activeDocumentNavigationOrigin</var>.</p></li>
       </ol>
 
       <p class="example">So for example a <span data-x="javascript
@@ -83733,7 +83733,8 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
      is a <span>fetch scheme</span></dt>
      <dd><p>Run <span>process a navigate fetch</span> given <var>resource</var>, the <span>source
      browsing context</span>, <var>browsingContext</var>, <var>navigationType</var>,
-     <var>incumbentNavigationOrigin</var>, and <var>activeDocumentNavigationOrigin</var>.</p></dd>
+     <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>, and
+     <var>activeDocumentNavigationOrigin</var>.</p></dd>
 
      <dt>Otherwise, <var>resource</var> is a <span data-x="concept-request">request</span> whose
      <span data-x="concept-request-url">url</span>'s <span data-x="concept-url-scheme">scheme</span>
@@ -83946,9 +83947,10 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
   data-x="concept-request">request</span> <var>request</var>, a <span
   data-x="concept-response">response</span> <var>response</var>, a string <var>navigationType</var>,
   two <span data-x="browsing context">browsing contexts</span> <var>source</var> and
-  <var>browsingContext</var>, two <span data-x="origin">origins</span>
-  <var>incumbentNavigationOrigin</var> and <var>activeDocumentNavigationOrigin</var>, and an
-  optional <span>environment</span> <var>reservedEnvironment</var>, run these steps:</p>
+  <var>browsingContext</var>, a <span>sandboxing flag set</span> <var>sandboxFlags</var>, two
+  <span data-x="origin">origins</span> <var>incumbentNavigationOrigin</var> and
+  <var>activeDocumentNavigationOrigin</var>, and an optional <span>environment</span>
+  <var>reservedEnvironment</var>, run these steps:</p>
 
   <ol>
    <li>
@@ -84000,15 +84002,15 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
      <dt>an <span>HTML MIME type</span></dt>
      <dd>Follow the steps given in the <span data-x="navigate-html">HTML document</span> section
      providing <var>browsingContext</var>, <var>request</var>, <var>response</var>,
-     <var>incumbentNavigationOrigin</var>, and <var>activeDocumentNavigationOrigin</var>. Once the
-     steps have completed, return.</dd>
+     <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>, and
+     <var>activeDocumentNavigationOrigin</var>. Once the steps have completed, return.</dd>
 
      <dt>an <span>XML MIME type</span> that is not an <span>explicitly supported XML MIME
      type</span></dt>
      <dd>Follow the steps given in the <span data-x="navigate-xml">XML document</span> section
      providing <var>browsingContext</var>, <var>type</var>, <var>request</var>, <var>response</var>,
-     <var>incumbentNavigationOrigin</var>, and <var>activeDocumentNavigationOrigin</var>. Once the
-     steps have completed, return.</dd>
+     <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>, and
+     <var>activeDocumentNavigationOrigin</var>. Once the steps have completed, return.</dd>
 
      <dt>a <span>JavaScript MIME type</span></dt>
      <dt>a <span>JSON MIME type</span> that is not an <span>explicitly supported JSON MIME
@@ -84019,28 +84021,28 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
      <dt>"<code>text/vtt</code>"</dt>
      <dd>Follow the steps given in the <span data-x="navigate-text">plain text file</span> section
      providing <var>browsingContext</var>, <var>type</var>, <var>request</var>, <var>response</var>,
-     <var>incumbentNavigationOrigin</var>, and <var>activeDocumentNavigationOrigin</var>. Once the
-     steps have completed, return.</dd>
+     <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>, and
+     <var>activeDocumentNavigationOrigin</var>. Once the steps have completed, return.</dd>
 
      <dt>"<code>multipart/x-mixed-replace</code>"</dt>
      <dd>Follow the steps given in the <span
      data-x="navigate-multipart-x-mixed-replace">multipart/x-mixed-replace</span> section providing
      <var>browsingContext</var>, <var>type</var>, <var>request</var>, <var>response</var>,
-     <var>incumbentNavigationOrigin</var>, and <var>activeDocumentNavigationOrigin</var>. Once the
-     steps have completed, return.</dd>
+     <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>, and
+     <var>activeDocumentNavigationOrigin</var>. Once the steps have completed, return.</dd>
 
      <dt>A supported image, video, or audio type</dt>
      <dd>Follow the steps given in the <span data-x="navigate-media">media</span> section providing
      <var>browsingContext</var>, <var>type</var>, <var>request</var>, <var>response</var>,
-     <var>incumbentNavigationOrigin</var>, and <var>activeDocumentNavigationOrigin</var>. Once the
-     steps have completed, return.</dd>
+     <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>, and
+     <var>activeDocumentNavigationOrigin</var>. Once the steps have completed, return.</dd>
 
      <dt>A type that will use an external application to render the content in
      <var>browsingContext</var></dt>
      <dd>Follow the steps given in the <span data-x="navigate-plugin">plugin</span> section
      providing <var>browsingContext</var>, <var>type</var>, <var>request</var>, <var>response</var>,
-     <var>incumbentNavigationOrigin</var>, and <var>activeDocumentNavigationOrigin</var>. Once the
-     steps have completed, return.</dd>
+     <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>, and
+     <var>activeDocumentNavigationOrigin</var>. Once the steps have completed, return.</dd>
     </dl>
 
     <p>An <dfn>explicitly supported XML MIME type</dfn> is an <span>XML MIME type</span> for which
@@ -84211,18 +84213,18 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
   data-x="concept-document-content-type">content type</span> <var>contentType</var>, a <span
   data-x="concept-request">request</span> <var>request</var>, a <span
   data-x="concept-response">response</span> <var>response</var>, a <span data-x="browsing
-  context">browsing context</span> <var>browsingContext</var>, two <span
-  data-x="origin">origins</span> <var>incumbentNavigationOrigin</var>,
-  <var>activeDocumentNavigationOrigin</var>, and an optional <span>environment</span>
-  <var>reservedEnvironment</var>:</p>
+  context">browsing context</span> <var>browsingContext</var>, a <span>sandboxing flag set</span>
+  <var>sandboxFlags</var>, two <span data-x="origin">origins</span>
+  <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>, and an optional
+  <span>environment</span> <var>reservedEnvironment</var>:</p>
 
   <ol>
-   <li><p>Let <var>sandboxFlags</var> be the result of <span>determining active sandboxing
-   flags</span> given <var>browsingContext</var> and <var>response</var>.</p></li>
+   <li><p>Let <var>finalSandboxFlags</var> be the union of <var>sandboxFlags</var> and
+   <var>response</var>'s <span>forced sandboxing flag set</span>.</p></li>
 
    <li><p>Let <var>origin</var> be the result of <span>determining the origin</span> given
    <var>browsingContext</var>, <var>request's</var> <span data-x="concept-request-url">url</span>,
-   <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>, and
+   <var>finalSandboxFlags</var>, <var>incumbentNavigationOrigin</var>, and
    <var>activeDocumentNavigationOrigin</var>.
 
    <li>
@@ -84284,7 +84286,7 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
    data-x="concept-document-content-type">content type</span> is <var>contentType</var>,
    <span>origin</span> is <var>origin</var>, <span data-x="concept-document-feature-policy">feature
    policy</span> is <var>featurePolicy</var>, and <span>active sandboxing flag set</span> is
-   <var>sandboxFlags</var>.</p></li>
+   <var>finalSandboxFlags</var>.</p></li>
 
    <li id="set-the-document's-address"><p>If <var>request</var> is non-null, then set
    <var>document</var>'s <span data-x="concept-document-url">URL</span> to <var>request</var>'s
@@ -84507,14 +84509,15 @@ new PaymentRequest(&hellip;); // Allowed to use
 
   <p>When <dfn data-x="navigate-html">an HTML document is to be loaded</dfn> in a <span>browsing
   context</span>, provided <var>browsingContext</var>, <var>request</var>, <var>response</var>,
-  <var>incumbentNavigationOrigin</var>, and <var>activeDocumentNavigationOrigin</var>, the user
-  agent must <span>queue a task</span> on the <span>networking task source</span> to:</p>
+  <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>, and
+  <var>activeDocumentNavigationOrigin</var>, the user agent must <span>queue a task</span> on the
+  <span>networking task source</span> to:</p>
 
   <ol>
    <li><p>Let <var>document</var> be the result of <span
    data-x="create-the-document-object">creating and initializing a <code>Document</code>
    object</span> providing "<code data-x="">html</code>", "<code data-x="">text/html</code>",
-   <var>request</var>, <var>response</var>, <var>browsingContext</var>,
+   <var>request</var>, <var>response</var>, <var>browsingContext</var>, <var>sandboxFlags</var>,
    <var>incumbentNavigationOrigin</var>, and <var>activeDocumentNavigationOrigin</var>.</p></li>
 
    <li>
@@ -84549,13 +84552,13 @@ new PaymentRequest(&hellip;); // Allowed to use
   <h4 id="read-xml"><dfn data-x="navigate-xml">Page load processing model for XML files</dfn></h4>
 
   <p>When faced with displaying an XML file inline, provided <var>browsingContext</var>,
-  <var>request</var>, <var>response</var>, <var>incumbentNavigationOrigin</var>, and
-  <var>activeDocumentNavigationOrigin</var>, user agents must follow the requirements defined in
-  <cite>XML</cite> and <cite>Namespaces in XML</cite>, <cite>XML Media Types</cite>,
-  <cite>DOM</cite>, and other relevant specifications to <span
+  <var>request</var>, <var>response</var>, <var>sandboxFlags</var>,
+  <var>incumbentNavigationOrigin</var>, and <var>activeDocumentNavigationOrigin</var>, user agents
+  must follow the requirements defined in <cite>XML</cite> and <cite>Namespaces in XML</cite>,
+  <cite>XML Media Types</cite>, <cite>DOM</cite>, and other relevant specifications to <span
   data-x="create-the-document-object">create and initialize a <code>Document</code> object</span>
   providing "<code data-x="">xml</code>", <var>type</var>, <var>request</var>, <var>response</var>,
-  <var>browsingContext</var>, <var>incumbentNavigationOrigin</var>, and
+  <var>browsingContext</var>, <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>, and
   <var>activeDocumentNavigationOrigin</var>. It must also create and a corresponding <span>XML
   parser</span>. <ref spec=XML> <ref spec=XMLNS> <ref spec=RFC7303> <ref spec=DOM></p>
 
@@ -84602,16 +84605,16 @@ new PaymentRequest(&hellip;); // Allowed to use
   <h4 id="read-text"><dfn data-x="navigate-text">Page load processing model for text files</dfn></h4>
 
   <p>When a plain text document is to be loaded in a <span>browsing context</span>, provided
-  <var>browsingContext</var>, <var>request</var>, <var>response</var>,
+  <var>browsingContext</var>, <var>request</var>, <var>response</var>, <var>sandboxFlags</var>,
   <var>incumbentNavigationOrigin</var>, and <var>activeDocumentNavigationOrigin</var>, the user
   agent must <span>queue a task</span> on the <span>networking task source</span> to:
 
   <ol>
    <li><p>Let <var>document</var> be the result of <span
    data-x="create-the-document-object">creating and initialize a <code>Document</code> object</span>
    providing "<code data-x="">html</code>", <var>type</var>, <var>request</var>,
-   <var>response</var>, <var>browsingContext</var>, <var>incumbentNavigationOrigin</var>,
-   and <var>activeDocumentNavigationOrigin</var>.</p></li>
+   <var>response</var>, <var>browsingContext</var>, <var>sandboxFlags</var>,
+   <var>incumbentNavigationOrigin</var>, and <var>activeDocumentNavigationOrigin</var>.</p></li>
 
    <li><p>Create an <span>HTML parser</span> and associate it with the <var>document</var>. Act as
    if the tokenizer had emitted a start tag token with the tag name "pre" followed by a single
@@ -84680,15 +84683,15 @@ new PaymentRequest(&hellip;); // Allowed to use
 
   <p>When an image, video, or audio resource is to be loaded in a <span>browsing context</span>,
   provided <var>browsingContext</var>, <var>request</var>, <var>response</var>,
-  <var>incumbentNavigationOrigin</var>, and <var>activeDocumentNavigationOrigin</var>, the user
-  agent should:
+  <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>, and
+  <var>activeDocumentNavigationOrigin</var>, the user agent should:
 
   <ol>
    <li><p>Let <var>document</var> be the result of <span
    data-x="create-the-document-object">creating and initialize a <code>Document</code> object</span>
    providing "<code data-x="">html</code>", <var>type</var>, <var>request</var>,
-   <var>response</var>, <var>browsingContext</var>, <var>incumbentNavigationOrigin</var>, and
-   <var>activeDocumentNavigationOrigin</var>.</p></li>
+   <var>response</var>, <var>browsingContext</var>, <var>sandboxFlags</var>,
+   <var>incumbentNavigationOrigin</var>, and <var>activeDocumentNavigationOrigin</var>.</p></li>
 
    <li><p>Append an <code>html</code> element to <var>document</var>.</p></li>
 
@@ -84746,15 +84749,15 @@ new PaymentRequest(&hellip;); // Allowed to use
 
   <p>When a resource that requires an external resource to be rendered is to be loaded in a
   <span>browsing context</span>, provided <var>browsingContext</var>, <var>request</var>,
-  <var>response</var>, <var>incumbentNavigationOrigin</var>, and
+  <var>response</var>, <var>sandboxFlags</var>, <var>incumbentNavigationOrigin</var>, and
   <var>activeDocumentNavigationOrigin</var>, the user agent should:
 
   <ol>
    <li><p>Let <var>document</var> be the result of <span
    data-x="create-the-document-object">creating and initialize a <code>Document</code> object</span>
    providing "<code data-x="">html</code>", <var>type</var>, <var>request</var>,
-   <var>response</var>, <var>browsingContext</var>, <var>incumbentNavigationOrigin</var>, and
-   <var>activeDocumentNavigationOrigin</var>.</p></li>
+   <var>response</var>, <var>browsingContext</var>, <var>sandboxFlags</var>,
+   <var>incumbentNavigationOrigin</var>, and <var>activeDocumentNavigationOrigin</var>.</p></li>
 
    <li><p>Mark <var>document</var> as being a <dfn>plugin document</dfn></p></li>
 
@@ -84802,10 +84805,10 @@ new PaymentRequest(&hellip;); // Allowed to use
   <p>When the user agent is to display a user agent page inline in a <span>browsing context</span>,
   the user agent should <span data-x="create-the-document-object">create and initialize a
   <code>Document</code> object</span> providing "<code data-x="">html</code>", "<code
-  data-x="">text/html</code>", null, null, <var>browsingContext</var>, null, and null, and then
-  either associate that <code>Document</code> with a custom rendering that is not rendered using the
-  normal <code>Document</code> rendering rules, or mutate that <code>Document</code> until it
-  represents the content the user agent wants to render.</p>
+  data-x="">text/html</code>", null, null, <var>browsingContext</var>, an empty set, null, and null,
+  and then either associate that <code>Document</code> with a custom rendering that is not rendered
+  using the normal <code>Document</code> rendering rules, or mutate that <code>Document</code> until
+  it represents the content the user agent wants to render.</p>
 
   <!-- next two paragraphs are similar to the navigate-text section, keep them in sync -->