Run the CORP check while processing navigation response

[yutakahirano]

In order to run the CORP check for main resources for nested frames,
run the CORP check in the "process navigation response" algorithm.
This is needed because we want to run the CORP check against the
parent frame's origin, not the origin of the source browsing context.

Fixes whatwg/html#5308.

[yutakahirano]

@annevk @mikewest PTAL.

This change conflicts with #9 and #10, but please don't care. I'll rebase changes whenever necessary.
As CORP is checked only for nested frames, we don't need to check the destination in CORP. On the other hand, we need to run CORP from fetch (and related callers) only for "no-cors" requests.

[yutakahirano]

ping

[annevk]

I think this check is run too late as it wouldn't be run for redirect responses. This might be a problem in how set things up in HTML to begin with though.

@domenic and I were looking at this the other day and there might be room for improvement here.

E.g., I notice that the current setup would also not enforce X-Frame-Options set upon a redirect response, which seems somewhat bad.

[yutakahirano]

Thank you! I moved the insertion point from "process navigate a response" to "process navigate a fetch".

[mikewest]

E.g., I notice that the current setup would also not enforce X-Frame-Options set upon a redirect response, which seems somewhat bad.

Note that Chrome doesn't enforce XFO on redirects. I don't think Firefox or Safari do either, though I haven't checked at all recently. See the data I pasted into web-platform-tests/wpt#21730 (comment), and the underlying discussion in https://crbug.com/835465.

That said, I think it's quite reasonable to make a different decision here and enforce COEP/CORP on redirect responses, since this mechanism is new and we can do the right thing from the get go.

[mikewest]

Note that this runs before frame-ancestors checks, which sounds fine. I don't think there's any good reason to prefer one ordering to the other, but it's something we should probably lock down in tests so that the right set of things get reported consistently across browsers.

[yutakahirano]

Ack.

[mikewest]

You'll want to add this to the list of changes in https://mikewest.github.io/corpp/#integration-html (around line 333). It might be reasonable to drop this whole section in favor of simply monkey-patching there, or it may make sense to label the following as an algorithm that's called-out-to in the same way we do for "process a navigate response". I'm happy either way. Depending on which route you take, I'd adjust this text accordingly, perhaps copy/pasting the existing "process a navigation response" text, a la:

Suggested change

	For every navigation request for a nested browsing context whose parent's embedder
	policy is "`require-corp`", CORP is checked.
	If a document's [=document/embedder policy=] is "`require-corp`", then any document it embeds in a
	[=nested browsing context=] must positively assert a "`require-corp`" [=/embedder policy=] (see
	[[#cascade-vs-require]]). Here, we modify HTML's [=process a navigation fetch=] algorithm to perform
	the CORP check upon each redirect in a navigation chain.

[yutakahirano]

I inlined the section. Does it look good?

[mikewest]

I'd like to see what this algorithm looks like after #9 and #10 land. Can we get those in, and rebase this accordingly? It's hard to piece together otherwise.

[yutakahirano]

I rebased this change on top of #9. It is shown as a combined change on the review. dcd0828 shows the diff.

I believe #10 and #11 is almost independent each other because I stopped working on "process navigate a response" on this change.

[yutakahirano]

Now #9 is merged so hopefully this change is clear enough.

[annevk]

That sounds great and happy to give old policies an exception (for now).

[yutakahirano]

I think I addressed all the comments. PTAL again.

[mikewest]

LGTM. Thanks for iterating on this.