Report COEP violations in nested frame loading #10
Conversation
|
Notes: Child frame's "report only value" is not taken into account because we block the navigation only when the child's policy is " parent:
child (response):
If the site owner updates the policy for the parent and the child at the same time, or update the policy for the child first, that should not be a problem. On the other hand, when the site owner updates the policy for the parent first, we'll see a block, so it is correct to report the potential blocking. The user agent doesn't know the site owner's plan, so we report the case with COEP values so that the site owner can decide whether to take an action on or ignore the report. |
|
ping |
1 similar comment
|
ping |
index.bs
Outdated
| 4. Let |body| be a new object containing the following properties with keys: | ||
|
|
||
| * key: "`blocked`", value: |serialized blocked url|. | ||
| * key: "`child cross-origin-embedder-policy`", value: |response policy|'s |
There was a problem hiding this comment.
Do we need to reveal this? I don't think there's much risk in saying that the resource asserted same-origin vs same-site, but it doesn't seem like we should be giving that information away cross-origin in the first place.
There was a problem hiding this comment.
@arturjanc to have an opinion about this (or delegate!) from the server-side.
There was a problem hiding this comment.
Ah good point. @annevk is concerned about leaking information through redirects. On the other hand, if we reveal COEP values only when the request's url is same origin with the origin of the parent context, that reveals one-bit information, same-originness. Is it too subtle?
I'm fine with revealing the COEP values only when the request's url is same origin with the origin of the parent context.
There was a problem hiding this comment.
I'm asking whether we need to reveal the value at all. "It doesn't match, otherwise I wouldn't be getting this violation report." seems like enough?
There was a problem hiding this comment.
I stated why this information is needed at #10 (comment) .
There was a problem hiding this comment.
Mike, does my above comment answer your question?
There was a problem hiding this comment.
It doesn't, unfortunately. But let's land this as-is and argue about this detail offline. :)
I don't understand what this is saying. |
Does the previous paragraph make sense to you?
|
|
I see. Yeah, we should report when there would be a block (and not make that depend on report only values or some such). |
|
I guess I don't see how it relates to needing to report the actual COEP values though. The result being blocked or allowed seems sufficient? |
|
Hmm, then the site owner needs to filter out reports by looking at "url" and "blocked-url". And that sounds OK. I'll remove the policy part. |
Modify the "check a navigation response’s adherence to its embedder’s policy" logic so as to report (possibly potential) COEP violations.
yutakahirano
force-pushed
the
yhirano/report-to-navigation
branch
from
7585d21 to
d456297
Compare
|
Done. @annevk, can you take a look again? |
|
I share Mike's concern about the logic duplication. It seems we should be able to do this in a single pass whereby the reporting and actual blocking are both conditional on what policy is in effect. |
Implements WICG/cross-origin-embedder-policy#10 Bug: 1052764 Change-Id: I76464069d3a0a4ea1463a2e626f5e0b355f175ee
Done. @annevk, can you take a look again? |
Implements WICG/cross-origin-embedder-policy#10 Bug: 1052764 Change-Id: I76464069d3a0a4ea1463a2e626f5e0b355f175ee
Implements WICG/cross-origin-embedder-policy#10 Bug: 1052764 Change-Id: I76464069d3a0a4ea1463a2e626f5e0b355f175ee
Implements WICG/cross-origin-embedder-policy#10 Bug: 1052764 Change-Id: I76464069d3a0a4ea1463a2e626f5e0b355f175ee
Implements WICG/cross-origin-embedder-policy#10 Bug: 1052764 Change-Id: I76464069d3a0a4ea1463a2e626f5e0b355f175ee Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2091326 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Matt Falkenhagen <falken@chromium.org> Cr-Commit-Position: refs/heads/master@{#749129}
Implements WICG/cross-origin-embedder-policy#10 Bug: 1052764 Change-Id: I76464069d3a0a4ea1463a2e626f5e0b355f175ee Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2091326 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Matt Falkenhagen <falken@chromium.org> Cr-Commit-Position: refs/heads/master@{#749129}
Implements WICG/cross-origin-embedder-policy#10 Bug: 1052764 Change-Id: I76464069d3a0a4ea1463a2e626f5e0b355f175ee Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2091326 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Matt Falkenhagen <falken@chromium.org> Cr-Commit-Position: refs/heads/master@{#749129}
… a=testonly Automatic update from web-platform-tests Implement COEP reporting for navigation Implements WICG/cross-origin-embedder-policy#10 Bug: 1052764 Change-Id: I76464069d3a0a4ea1463a2e626f5e0b355f175ee Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2091326 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Matt Falkenhagen <falken@chromium.org> Cr-Commit-Position: refs/heads/master@{#749129} -- wpt-commits: 7276e150b9b597e1e688fd1c892454411952e37a wpt-pr: 22159
… a=testonly Automatic update from web-platform-tests Implement COEP reporting for navigation Implements WICG/cross-origin-embedder-policy#10 Bug: 1052764 Change-Id: I76464069d3a0a4ea1463a2e626f5e0b355f175ee Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2091326 Commit-Queue: Yutaka Hirano <yhirano@chromium.org> Reviewed-by: Matt Falkenhagen <falken@chromium.org> Cr-Commit-Position: refs/heads/master@{#749129} -- wpt-commits: 7276e150b9b597e1e688fd1c892454411952e37a wpt-pr: 22159
… a=testonly Automatic update from web-platform-tests Implement COEP reporting for navigation Implements WICG/cross-origin-embedder-policy#10 Bug: 1052764 Change-Id: I76464069d3a0a4ea1463a2e626f5e0b355f175ee Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2091326 Commit-Queue: Yutaka Hirano <yhiranochromium.org> Reviewed-by: Matt Falkenhagen <falkenchromium.org> Cr-Commit-Position: refs/heads/master{#749129} -- wpt-commits: 7276e150b9b597e1e688fd1c892454411952e37a wpt-pr: 22159 UltraBlame original commit: e7f3bc915e2476ecececc2f15e5d5ee3baed90f9
… a=testonly Automatic update from web-platform-tests Implement COEP reporting for navigation Implements WICG/cross-origin-embedder-policy#10 Bug: 1052764 Change-Id: I76464069d3a0a4ea1463a2e626f5e0b355f175ee Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2091326 Commit-Queue: Yutaka Hirano <yhiranochromium.org> Reviewed-by: Matt Falkenhagen <falkenchromium.org> Cr-Commit-Position: refs/heads/master{#749129} -- wpt-commits: 7276e150b9b597e1e688fd1c892454411952e37a wpt-pr: 22159 UltraBlame original commit: e7f3bc915e2476ecececc2f15e5d5ee3baed90f9
… a=testonly Automatic update from web-platform-tests Implement COEP reporting for navigation Implements WICG/cross-origin-embedder-policy#10 Bug: 1052764 Change-Id: I76464069d3a0a4ea1463a2e626f5e0b355f175ee Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2091326 Commit-Queue: Yutaka Hirano <yhiranochromium.org> Reviewed-by: Matt Falkenhagen <falkenchromium.org> Cr-Commit-Position: refs/heads/master{#749129} -- wpt-commits: 7276e150b9b597e1e688fd1c892454411952e37a wpt-pr: 22159 UltraBlame original commit: e7f3bc915e2476ecececc2f15e5d5ee3baed90f9
|
Let me land this for now. If you have further comments please let me know, I'll be happy to address them. |
Modify the "check a navigation response’s adherence to its
embedder’s policy" logic so as to report (possibly potential)
COEP violations.