Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

COOP about:blank inheritance not clearly defined #5168

Open
zcorpan opened this issue Dec 18, 2019 · 5 comments
Open

COOP about:blank inheritance not clearly defined #5168

zcorpan opened this issue Dec 18, 2019 · 5 comments
Labels
topic: cross-origin-opener-policy Issues and ideas around the new "inverse of rel=noopener" header

Comments

@zcorpan
Copy link
Member

zcorpan commented Dec 18, 2019

about:blank documents inherit cross-origin opener-policy from their creator's top-level browsing context's active document at the time of creation, if there is a creator and if the creator's origin is same origin with the creator's top-level origin.

This doesn't seem to be spelled out as an explicit change to the appropriate algorithm.

The right algorithm would be https://html.spec.whatwg.org/multipage/browsing-the-web.html#initialise-the-document-object , correct?

cc @annevk

@zcorpan zcorpan added the topic: cross-origin-opener-policy Issues and ideas around the new "inverse of rel=noopener" header label Dec 18, 2019
@wanderview
Copy link
Member

Also, this would be yet another deviation from other existing examples of inheritance:

w3ctag/design-principles#111

For most other things about:blank inherits from its creator context, not the creator's top-level active document.

@annevk
Copy link
Member

annevk commented Dec 20, 2019

What would you prefer @wanderview?

@wanderview
Copy link
Member

Ideally I'd prefer it was inherited from its immediate parent like the about:blank iframe's origin. I don't know if that is reasonable for COOP, though. If the parent's COOP policy was inherited from its parent and so on, it would kind of devolve to inheriting from the top-level, but a frame in the middle could change the policy with a header?

@annevk
Copy link
Member

annevk commented Jan 3, 2020

HTTP-delivered document A2 inheriting from parent A1 is also not quite like existing practice as we don't inherit policies for HTTP-delivered documents generally. Also, presumably we don't want to do that cross-origin so A1 embedding B embedding A2 would break.

Now requiring COOP is an interesting idea, but that means that if A2 in the above scenario does not set COOP and A1 does (or they set a different COOP) and A2 creates a popup we'd have to "noopener" it. This would probably work, though it seems somewhat cumbersome that COOP is generally for top-level only unless you want to open a popup from a framed document in which case you also need to set it on the framed document.

@annevk
Copy link
Member

annevk commented Jan 8, 2020

Another way to think about the model (and a potential way to rewrite it) is that we store COOP on the BCG and also retrieve it from there, and because of https://gist.github.com/annevk/6f2dd8c79c77123f39797f6bdac43f3e#changes-to-choosing-a-browsing-context no inheritance would be needed, though it ends up meaning the exact same thing.

This might be slightly better as it would not impact subframes which are not impacted by COOP to begin with (only COEP).

(Yet another way to accomplish this would be to let "choosing a browsing context" pass a parameter down to initial about:blank creation of an auxiliary browsing context and settle it that way.)

annevk added a commit to camillelamy/html that referenced this issue Jun 5, 2020
Fixes whatwg#3740. Closes whatwg#4580.

Need to check again if it closes them:

* whatwg#4921
* whatwg#5168
* whatwg#5172
* whatwg#5198 (probably not?)

Co-authored-by: Anne van Kesteren <[email protected]>
camillelamy pushed a commit to camillelamy/html that referenced this issue Jun 10, 2020
Fixes whatwg#3740. Closes whatwg#4580.

Need to check again if it closes them:

* whatwg#4921
* whatwg#5168
* whatwg#5172
* whatwg#5198 (probably not?)

Co-authored-by: Anne van Kesteren <[email protected]>
camillelamy pushed a commit to camillelamy/html that referenced this issue Jun 16, 2020
Fixes whatwg#3740. Closes whatwg#4580.

Need to check again if it closes them:

* whatwg#4921
* whatwg#5168
* whatwg#5172
* whatwg#5198 (probably not?)

Co-authored-by: Anne van Kesteren <[email protected]>
camillelamy pushed a commit to camillelamy/html that referenced this issue Jun 24, 2020
Fixes whatwg#3740. Closes whatwg#4580.

Need to check again if it closes them:

* whatwg#4921
* whatwg#5168
* whatwg#5172
* whatwg#5198 (probably not?)

Co-authored-by: Anne van Kesteren <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
topic: cross-origin-opener-policy Issues and ideas around the new "inverse of rel=noopener" header
Development

No branches or pull requests

3 participants