-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
COOP + non-HTTP non-initial-about:blank inheritance #5198
Comments
The big problem with defining the exact model for In particular:
|
@whatwg/cross-origin-isolation please see w3c/webappsec-secure-contexts#69 for some further thoughts on |
Blob URL scenarios:
I think the proposed changes are good and they are also likely web-compatible given how esoteric things are, but we might have to tweak things, depending. |
Does that apply when the URL is persisted to a storage? |
The blob URL? I would expect the lifetime of its associated blob in the blob URL store to not outlive the global that created it. https://w3c.github.io/FileAPI/#url states this as fact, but does not in fact require it. |
Ah I see thank you. |
Update on |
Fixes whatwg#3740. Closes whatwg#4580. Need to check again if it closes them: * whatwg#4921 * whatwg#5168 * whatwg#5172 * whatwg#5198 (probably not?) Co-authored-by: Anne van Kesteren <[email protected]>
Fixes whatwg#3740. Closes whatwg#4580. Need to check again if it closes them: * whatwg#4921 * whatwg#5168 * whatwg#5172 * whatwg#5198 (probably not?) Co-authored-by: Anne van Kesteren <[email protected]>
Fixes whatwg#3740. Closes whatwg#4580. Need to check again if it closes them: * whatwg#4921 * whatwg#5168 * whatwg#5172 * whatwg#5198 (probably not?) Co-authored-by: Anne van Kesteren <[email protected]>
Fixes whatwg#3740. Closes whatwg#4580. Need to check again if it closes them: * whatwg#4921 * whatwg#5168 * whatwg#5172 * whatwg#5198 (probably not?) Co-authored-by: Anne van Kesteren <[email protected]>
I (re)came across this while exploring the addition of COOP to the PolicyContainer within Chromium and the behavior we expect for the local schemes, specifically "about:blank" as the initial empty document and data are already covered. My understanding is that's what you are suggest here I would suggest however that we mimic the behavior of the initial empty document instead: |
Yeah that sounds reasonable and I guess that's also what we want for |
yes I think that would be the desired behavior for |
One thing I did not mention though is switching the
This seems the correct behavior to me and is identical to what would happen if B was navigated to a page that is same-origin with A and had COOP - |
I think that is fine as it would also happen if you navigated B to another A. The weird thing might be that it'll be a (useless) blank document, but I don't see a reason to add a special case for that. User agents might want to show this as some kind of error to end users? Not sure. |
Sound good, and I don't think there's any reason to display an error. |
This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with about:blank navigations. As discussed in whatwg/html#5198. Change-Id: Iabe461416c36468f73a41af0f69c46c545744e14
This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with about:blank navigations. As discussed in whatwg/html#5198. Change-Id: Iabe461416c36468f73a41af0f69c46c545744e14
This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with about:blank navigations. As discussed in whatwg/html#5198. Change-Id: Iabe461416c36468f73a41af0f69c46c545744e14
This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with about:blank navigations. As discussed in whatwg/html#5198. Change-Id: Iabe461416c36468f73a41af0f69c46c545744e14
This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with about:blank navigations. As discussed in whatwg/html#5198. Change-Id: Iabe461416c36468f73a41af0f69c46c545744e14
This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with about:blank navigations. As discussed in whatwg/html#5198. Change-Id: Iabe461416c36468f73a41af0f69c46c545744e14
This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with about:blank navigations. As discussed in whatwg/html#5198. Change-Id: Iabe461416c36468f73a41af0f69c46c545744e14
This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with about:blank navigations. As discussed in whatwg/html#5198. Change-Id: Iabe461416c36468f73a41af0f69c46c545744e14
This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with about:blank navigations. As discussed in whatwg/html#5198. Change-Id: Iabe461416c36468f73a41af0f69c46c545744e14
This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with about:blank navigations. As discussed in whatwg/html#5198. Change-Id: Iabe461416c36468f73a41af0f69c46c545744e14
This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with about:blank navigations. As discussed in whatwg/html#5198. Change-Id: Iabe461416c36468f73a41af0f69c46c545744e14
This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with about:blank navigations. As discussed in whatwg/html#5198. Change-Id: Iabe461416c36468f73a41af0f69c46c545744e14
This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with about:blank navigations. As discussed in whatwg/html#5198. Change-Id: Iabe461416c36468f73a41af0f69c46c545744e14
This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with about:blank navigations. As discussed in whatwg/html#5198. Change-Id: Iabe461416c36468f73a41af0f69c46c545744e14
This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with about:blank navigations. As discussed in whatwg/html#5198. Change-Id: Iabe461416c36468f73a41af0f69c46c545744e14
This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with about:blank navigations. As discussed in whatwg/html#5198. Change-Id: Iabe461416c36468f73a41af0f69c46c545744e14
This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with about:blank navigations. As discussed in whatwg/html#5198. Change-Id: Iabe461416c36468f73a41af0f69c46c545744e14
This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with about:blank navigations. As discussed in whatwg/html#5198. Change-Id: Iabe461416c36468f73a41af0f69c46c545744e14
This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with about:blank navigations. As discussed in whatwg/html#5198. Change-Id: Iabe461416c36468f73a41af0f69c46c545744e14
This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with about:blank navigations. As discussed in whatwg/html#5198. Change-Id: Iabe461416c36468f73a41af0f69c46c545744e14 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2678150 Auto-Submit: Pâris Meuleman <[email protected]> Commit-Queue: Pâris Meuleman <[email protected]> Reviewed-by: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/master@{#860665}
This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with about:blank navigations. As discussed in whatwg/html#5198. Change-Id: Iabe461416c36468f73a41af0f69c46c545744e14 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2678150 Auto-Submit: Pâris Meuleman <[email protected]> Commit-Queue: Pâris Meuleman <[email protected]> Reviewed-by: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/master@{#860665}
This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with about:blank navigations. As discussed in whatwg/html#5198. Change-Id: Iabe461416c36468f73a41af0f69c46c545744e14 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2678150 Auto-Submit: Pâris Meuleman <[email protected]> Commit-Queue: Pâris Meuleman <[email protected]> Reviewed-by: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/master@{#860665} Co-authored-by: Pâris MEULEMAN <[email protected]>
… to about:blank, a=testonly Automatic update from web-platform-tests Add WPT for COOP behavior in navigations to about:blank (#27548) This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with about:blank navigations. As discussed in whatwg/html#5198. Change-Id: Iabe461416c36468f73a41af0f69c46c545744e14 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2678150 Auto-Submit: Pâris Meuleman <[email protected]> Commit-Queue: Pâris Meuleman <[email protected]> Reviewed-by: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/master@{#860665} Co-authored-by: Pâris MEULEMAN <[email protected]> -- wpt-commits: c4f759fb1e985552c9d2891d641e9e2bf3f65e83 wpt-pr: 27548
https://bugs.webkit.org/show_bug.cgi?id=192193 <rdar://problem/42013525> Reviewed by Geoff Garen. LayoutTests/imported/w3c: Rebaseline WPT tests now that most tests are passing. * web-platform-tests/IndexedDB/serialize-sharedarraybuffer-throws.https-expected.txt: * web-platform-tests/html/cross-origin-embedder-policy/cross-origin-isolated-permission.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/blob-popup.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/coep-blob-popup.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/coep-navigate-popup.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/coep-redirect.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/coep.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/coop-coep-sandbox.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/coop-csp-sandbox-navigate.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/coop-csp-sandbox.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/coop-navigated-history-popup.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/coop-navigated-popup.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/coop-sandbox.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/header-parsing.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/historical/coep-navigate-popup-unsafe-inherit.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-cross-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-same-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-same-site.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-cross-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-same-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-same-site.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/historical/popup-same-site-with-cross-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/historical/popup-same-site-with-same-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/historical/popup-same-site-with-same-site.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-same-origin-allow-popups.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-same-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/iframe-popup-same-origin-to-same-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/iframe-popup-same-origin-to-unsafe-none.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/iframe-popup-unsafe-none-to-same-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/javascript-url.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/navigate-to-aboutblank.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/no-https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-coop-by-sw-from-coop.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-coop-by-sw.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-redirect-cache.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-redirect-same-origin-allow-popups.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-cross-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-same-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-same-site.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-same-origin-with-cross-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-same-origin-with-same-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-same-origin-with-same-site.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-unsafe-none-with-cross-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-unsafe-none-with-same-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-unsafe-none-with-same-site.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-unspecified-with-cross-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-unspecified-with-same-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-unspecified-with-same-site.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-with-structured-header.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/resource-popup.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/resources/resource-popup.html: * web-platform-tests/html/dom/idlharness.worker-expected.txt: Source/WebCore: Add initial support for 'Cross-Origin-Opener-Policy' HTTP header: - https://html.spec.whatwg.org/multipage/origin.html#cross-origin-opener-policy-value Support is complete enough to pass most WPT tests with the exception of: - The ones involving blob. Support for Blob does not seem trivial so I will address separately (whatwg/html#5198). - The ones that requires reporting COOP enforcement as this is not supported yet. This is a fairly large task so I'll handle separately. - The ones that involve Cross-Origin-Embedder-Policy (COEP) and this is not yet supported. I tried to stay as close as possible to the HTML specification as possible in terms of structuring and naming. I also have code comments to link to the relevant HTML spec sections. Note that as it stands, we do not currently swap process based on COOP header. We merely do isolation of the new browsing context at JS level for now. At some point, we'll want to actually process-swap, once we support COEP and we want to re-enable some Web APIs such as SharedArrayBuffer. No new tests, covered by web-plaform-tests/html/cross-origin-opener-policy. * Headers.cmake: * Sources.txt: * WebCore.xcodeproj/project.pbxproj: * bindings/js/WebCoreBuiltinNames.h: * dom/Document.cpp: (WebCore::Document::initSecurityContext): (WebCore::Document::shouldForceNoOpenerBasedOnCOOP const): (WebCore::Document::crossOriginOpenerPolicy const): (WebCore::Document::setCrossOriginOpenerPolicy): * dom/Document.h: (WebCore::Document::isSameOriginAsTopDocument const): * dom/SecurityContext.cpp: (WebCore::SecurityContext::enforceSandboxFlags): * dom/SecurityContext.h: (WebCore::SecurityContext::creationSandboxFlags const): * inspector/InspectorFrontendClientLocal.cpp: (WebCore::InspectorFrontendClientLocal::openURLExternally): * loader/CrossOriginEmbedderPolicy.cpp: Copied from Source/WebCore/page/AbstractFrame.cpp. (WebCore::obtainCrossOriginEmbedderPolicy): * loader/CrossOriginEmbedderPolicy.h: Copied from Source/WebCore/page/AbstractFrame.cpp. * loader/CrossOriginOpenerPolicy.cpp: Added. (WebCore::obtainCrossOriginOpenerPolicy): * loader/CrossOriginOpenerPolicy.h: Copied from Source/WebCore/page/AbstractFrame.h. * loader/DocumentLoader.cpp: (WebCore::DocumentLoader::willSendRequest): (WebCore::checkIfCOOPValuesRequireBrowsingContextGroupSwitch): (WebCore::computeResponseOriginAndCOOP): (WebCore::DocumentLoader::doCrossOriginOpenerHandlingOfResponse): (WebCore::DocumentLoader::enforceResponseCrossOriginOpenerPolicy): (WebCore::DocumentLoader::responseReceived): (WebCore::DocumentLoader::maybeLoadEmpty): * loader/DocumentLoader.h: (WebCore::DocumentLoader::crossOriginOpenerPolicy const): * loader/DocumentWriter.cpp: (WebCore::DocumentWriter::begin): * loader/FrameLoader.cpp: (WebCore::FrameLoader::didBeginDocument): (WebCore::FrameLoader::setOpener): (WebCore::FrameLoader::loadURL): (WebCore::FrameLoader::loadPostRequest): (WebCore::createWindow): (WebCore::FrameLoader::switchBrowsingContextsGroup): * loader/FrameLoader.h: * loader/NavigationAction.cpp: * loader/NavigationAction.h: (WebCore::NavigationAction::Requester::securityOrigin const): (WebCore::NavigationAction::Requester::topOrigin const): (WebCore::NavigationAction::Requester::crossOriginOpenerPolicy const): * page/AbstractFrame.cpp: (WebCore::AbstractFrame::resetWindowProxy): * page/AbstractFrame.h: * page/DOMWindow.cpp: (WebCore::DOMWindow::crossOriginIsolated const): (WebCore::DOMWindow::createWindow): * page/DOMWindow.h: * page/Frame.cpp: (WebCore::Frame::resetScript): * page/Frame.h: * page/Page.h: (WebCore::Page::setOpenedByDOMWithOpener): * page/WindowOrWorkerGlobalScope.idl: * page/csp/ContentSecurityPolicy.cpp: (WebCore::ContentSecurityPolicy::applyPolicyToScriptExecutionContext): * platform/network/HTTPHeaderNames.in: * platform/network/HTTPParsers.cpp: (WebCore::parseStructuredFieldValue): * platform/network/HTTPParsers.h: * platform/network/ResourceResponseBase.cpp: (WebCore::isSafeRedirectionResponseHeader): * workers/WorkerGlobalScope.cpp: (WebCore::WorkerGlobalScope::crossOriginIsolated const): * workers/WorkerGlobalScope.h: Source/WTF: Add experimental feature flag for 'Cross-Origin-Opener-Policy' HTTP header support. * Scripts/Preferences/WebPreferencesExperimental.yaml: LayoutTests: Update test expectations. * TestExpectations: * platform/ios-wk2/imported/w3c/web-platform-tests/html/dom/idlharness.https-expected.txt: * platform/mac-wk1/imported/w3c/web-platform-tests/html/dom/idlharness.https-expected.txt: * platform/mac-wk2/TestExpectations: * platform/mac-wk2/imported/w3c/web-platform-tests/html/dom/idlharness.https-expected.txt: * platform/mac/TestExpectations: Canonical link: https://commits.webkit.org/240136@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@280504 268f45cc-cd09-0410-ab3c-d52691b4dbfc
https://bugs.webkit.org/show_bug.cgi?id=192193 <rdar://problem/42013525> Reviewed by Geoff Garen. LayoutTests/imported/w3c: Rebaseline WPT tests now that most tests are passing. * web-platform-tests/IndexedDB/serialize-sharedarraybuffer-throws.https-expected.txt: * web-platform-tests/html/cross-origin-embedder-policy/cross-origin-isolated-permission.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/blob-popup.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/coep-blob-popup.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/coep-navigate-popup.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/coep-redirect.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/coep.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/coop-coep-sandbox.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/coop-csp-sandbox-navigate.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/coop-csp-sandbox.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/coop-navigated-history-popup.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/coop-navigated-popup.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/coop-sandbox.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/header-parsing.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/historical/coep-navigate-popup-unsafe-inherit.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-cross-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-same-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/historical/popup-same-origin-unsafe-allow-outgoing-with-same-site.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-cross-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-same-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/historical/popup-same-site-unsafe-allow-outgoing-with-same-site.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/historical/popup-same-site-with-cross-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/historical/popup-same-site-with-same-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/historical/popup-same-site-with-same-site.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-same-origin-allow-popups.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/iframe-popup-same-origin-allow-popups-to-same-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/iframe-popup-same-origin-to-same-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/iframe-popup-same-origin-to-unsafe-none.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/iframe-popup-unsafe-none-to-same-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/javascript-url.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/navigate-to-aboutblank.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/no-https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-coop-by-sw-from-coop.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-coop-by-sw.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-redirect-cache.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-redirect-same-origin-allow-popups.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-cross-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-same-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-same-origin-allow-popups-with-same-site.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-same-origin-with-cross-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-same-origin-with-same-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-same-origin-with-same-site.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-unsafe-none-with-cross-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-unsafe-none-with-same-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-unsafe-none-with-same-site.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-unspecified-with-cross-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-unspecified-with-same-origin.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-unspecified-with-same-site.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/popup-with-structured-header.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/resource-popup.https-expected.txt: * web-platform-tests/html/cross-origin-opener-policy/resources/resource-popup.html: * web-platform-tests/html/dom/idlharness.worker-expected.txt: Source/WebCore: Add initial support for 'Cross-Origin-Opener-Policy' HTTP header: - https://html.spec.whatwg.org/multipage/origin.html#cross-origin-opener-policy-value Support is complete enough to pass most WPT tests with the exception of: - The ones involving blob. Support for Blob does not seem trivial so I will address separately (whatwg/html#5198). - The ones that requires reporting COOP enforcement as this is not supported yet. This is a fairly large task so I'll handle separately. - The ones that involve Cross-Origin-Embedder-Policy (COEP) and this is not yet supported. I tried to stay as close as possible to the HTML specification as possible in terms of structuring and naming. I also have code comments to link to the relevant HTML spec sections. Note that as it stands, we do not currently swap process based on COOP header. We merely do isolation of the new browsing context at JS level for now. At some point, we'll want to actually process-swap, once we support COEP and we want to re-enable some Web APIs such as SharedArrayBuffer. No new tests, covered by web-plaform-tests/html/cross-origin-opener-policy. * Headers.cmake: * Sources.txt: * WebCore.xcodeproj/project.pbxproj: * bindings/js/WebCoreBuiltinNames.h: * dom/Document.cpp: (WebCore::Document::initSecurityContext): (WebCore::Document::shouldForceNoOpenerBasedOnCOOP const): (WebCore::Document::crossOriginOpenerPolicy const): (WebCore::Document::setCrossOriginOpenerPolicy): * dom/Document.h: (WebCore::Document::isSameOriginAsTopDocument const): * dom/SecurityContext.cpp: (WebCore::SecurityContext::enforceSandboxFlags): * dom/SecurityContext.h: (WebCore::SecurityContext::creationSandboxFlags const): * inspector/InspectorFrontendClientLocal.cpp: (WebCore::InspectorFrontendClientLocal::openURLExternally): * loader/CrossOriginEmbedderPolicy.cpp: Copied from Source/WebCore/page/AbstractFrame.cpp. (WebCore::obtainCrossOriginEmbedderPolicy): * loader/CrossOriginEmbedderPolicy.h: Copied from Source/WebCore/page/AbstractFrame.cpp. * loader/CrossOriginOpenerPolicy.cpp: Added. (WebCore::obtainCrossOriginOpenerPolicy): * loader/CrossOriginOpenerPolicy.h: Copied from Source/WebCore/page/AbstractFrame.h. * loader/DocumentLoader.cpp: (WebCore::DocumentLoader::willSendRequest): (WebCore::checkIfCOOPValuesRequireBrowsingContextGroupSwitch): (WebCore::computeResponseOriginAndCOOP): (WebCore::DocumentLoader::doCrossOriginOpenerHandlingOfResponse): (WebCore::DocumentLoader::enforceResponseCrossOriginOpenerPolicy): (WebCore::DocumentLoader::responseReceived): (WebCore::DocumentLoader::maybeLoadEmpty): * loader/DocumentLoader.h: (WebCore::DocumentLoader::crossOriginOpenerPolicy const): * loader/DocumentWriter.cpp: (WebCore::DocumentWriter::begin): * loader/FrameLoader.cpp: (WebCore::FrameLoader::didBeginDocument): (WebCore::FrameLoader::setOpener): (WebCore::FrameLoader::loadURL): (WebCore::FrameLoader::loadPostRequest): (WebCore::createWindow): (WebCore::FrameLoader::switchBrowsingContextsGroup): * loader/FrameLoader.h: * loader/NavigationAction.cpp: * loader/NavigationAction.h: (WebCore::NavigationAction::Requester::securityOrigin const): (WebCore::NavigationAction::Requester::topOrigin const): (WebCore::NavigationAction::Requester::crossOriginOpenerPolicy const): * page/AbstractFrame.cpp: (WebCore::AbstractFrame::resetWindowProxy): * page/AbstractFrame.h: * page/DOMWindow.cpp: (WebCore::DOMWindow::crossOriginIsolated const): (WebCore::DOMWindow::createWindow): * page/DOMWindow.h: * page/Frame.cpp: (WebCore::Frame::resetScript): * page/Frame.h: * page/Page.h: (WebCore::Page::setOpenedByDOMWithOpener): * page/WindowOrWorkerGlobalScope.idl: * page/csp/ContentSecurityPolicy.cpp: (WebCore::ContentSecurityPolicy::applyPolicyToScriptExecutionContext): * platform/network/HTTPHeaderNames.in: * platform/network/HTTPParsers.cpp: (WebCore::parseStructuredFieldValue): * platform/network/HTTPParsers.h: * platform/network/ResourceResponseBase.cpp: (WebCore::isSafeRedirectionResponseHeader): * workers/WorkerGlobalScope.cpp: (WebCore::WorkerGlobalScope::crossOriginIsolated const): * workers/WorkerGlobalScope.h: Source/WTF: Add experimental feature flag for 'Cross-Origin-Opener-Policy' HTTP header support. * Scripts/Preferences/WebPreferencesExperimental.yaml: LayoutTests: Update test expectations. * TestExpectations: * platform/ios-wk2/imported/w3c/web-platform-tests/html/dom/idlharness.https-expected.txt: * platform/mac-wk1/imported/w3c/web-platform-tests/html/dom/idlharness.https-expected.txt: * platform/mac-wk2/TestExpectations: * platform/mac-wk2/imported/w3c/web-platform-tests/html/dom/idlharness.https-expected.txt: * platform/mac/TestExpectations: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@280504 268f45cc-cd09-0410-ab3c-d52691b4dbfc
This CL adds a WPT test that checks the interaction of COOP same-origin-allow-popups with about:blank navigations. As discussed in whatwg/html#5198. Change-Id: Iabe461416c36468f73a41af0f69c46c545744e14 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2678150 Auto-Submit: Pâris Meuleman <[email protected]> Commit-Queue: Pâris Meuleman <[email protected]> Reviewed-by: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/master@{#860665} GitOrigin-RevId: 434ea0b3e06242ab816475ad5c6d1f858552a7f0
Part of this is tracked by #5168 where I think we have good solutions for initial about:blank. #4916 tracks this for COEP.
data:
cannot work as it's not a secure context.about:blank
andblob:
remain for popups. I think we should inherit for them as we do normally, presumably from the sourcebrowsing contextdocument.Work in progress tests:
data:
)cc @clelland @zcorpan @jugglinmike @ParisMeuleman @mikewest @hemeryar
The text was updated successfully, but these errors were encountered: