Skip to content

Commit

Permalink
# This is a combination of 2 commits.
Browse files Browse the repository at this point in the history 
# This is the 1st commit message:

# This is a combination of 23 commits.
# This is the 1st commit message:

Integrate CORP and COEP

This is part of the introduction of COEP
(whatwg/html#5454). The CORP check now takes
COEP into account. Also, responses coming from service workers
are checked.

# This is the commit message #2:

Update fetch.bs

Co-authored-by: Domenic Denicola <d@domenic.me>
# This is the commit message #3:

Update fetch.bs

Co-authored-by: Domenic Denicola <d@domenic.me>
# This is the commit message #4:

fix

# This is the commit message #5:

fix

# This is the commit message #6:

fix

# This is the commit message #7:

fix

# This is the commit message #8:

fix

# This is the commit message #9:

fix

# This is the commit message #10:

fix

# This is the commit message #11:

fix

# This is the commit message #12:

fix

# This is the commit message #13:

fix

# This is the commit message #14:

fix

# This is the commit message #15:

fix

# This is the commit message #16:

fix

# This is the commit message #17:

fix

# This is the commit message #18:

Update fetch.bs

Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
# This is the commit message #19:

Update fetch.bs

Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
# This is the commit message #20:

fix

# This is the commit message #21:

fix

# This is the commit message #22:

fix

# This is the commit message #23:

fix

# This is the commit message #2:

fix
  • Loading branch information
@yutakahirano
yutakahirano committed Jun 23, 2020
1 parent f083f8c commit db9fbcd
Showing 1 changed file with 139 additions and 59 deletions.
198 changes: 139 additions & 59 deletions fetch.bs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1751,14 +1751,17 @@ source of security bugs. Please seek security review for features that deal with

<hr>

<p>To <dfn export>serialize a request URL for reporting</dfn>, given a <a for=/>request</a>
<var>request</var>, run these steps:
<p>To <dfn export>serialize a response URL for reporting</dfn>, given a <a for=/>response</a>
<var>response</var>, run these steps:

<ol>
<li><p>Assert: <var>response</var>'s <a for=response>URL list</a> <a for=list>is not empty</a>.

<li>
<p>Let <var>url</var> be a copy of <var>request</var>'s <a for=request>URL</a>.
<p>Let <var>url</var> be a copy of <var>response</var>'s <a for=response>URL list</a>'s first
element.

<p class="note">This is not <var>request</var>'s <a for=request>current URL</a> in order to avoid
<p class="note">This is not <var>response</var>'s <a for=response>URL</a> in order to avoid
leaking information about redirect targets (see
<a href="https://w3c.github.io/webappsec-csp/#security-violation-reports">similar considerations for CSP reporting</a>
too). [[CSP]]
Expand All @@ -1772,26 +1775,6 @@ source of security bugs. Please seek security review for features that deal with
</ol>


<p>To <dfn export for=request id=concept-request-serialize-url-for-reporting>serialize a request URL
for reporting</dfn>, given a <a for=/>request</a> <var>request</var>, run these steps:

<ol>
<li>
<p>Let <var>url</var> be a copy of <var>request</var>'s <a for=request>URL</a>.

<p class="note">This is not <var>request</var>'s <a for=request>current URL</a> in order to avoid
leaking information about redirect targets (see
<a href="https://w3c.github.io/webappsec-csp/#security-violation-reports">similar considerations
for CSP reporting</a> too).

<li><p><a>Set the username</a> given <var>url</var> and the empty string.

<li><p><a>Set the password</a> given <var>url</var> and the empty string.

<li><p>Return <var>url</var> <a lt="url serializer">serialized</a>with the
<i>exclude fragment flag</i> set.
</ol>

<h4 id=responses>Responses</h4>

<p>The result of <a for=/>fetch</a> is a
Expand Down Expand Up @@ -3167,57 +3150,145 @@ response <a for=/>header</a> can be used to require checking a <a for=/>request<
Cross-Origin-Resource-Policy = %s"same-origin" / %s"same-site" / %s"cross-origin" ; case-sensitive
</code></pre>

<p>To perform a <dfn>cross-origin resource policy check</dfn>, given a <var>request</var> and
<var>response</var>, run these steps:</p>
<p>To perform a <dfn export>cross-origin resource policy check</dfn>, given an <a for=url>origin</a>
<var>origin</var>, an <a for=/>environment settings object</a> <var>settingsObject</var>, a
<a for=/>response</a> <var>response</var>, and an optional boolean <var>forNavigation</var>, run
these steps:

<ol>
<li><p>If <var>request</var>'s <a for=request>mode</a> is not "<code>no-cors</code>", then return
<b>allowed</b>.
<li><p>Set <var>forNavigation</var> to false if it is not given.

<li><p>Let <var>embedderPolicy</var> be <var>settingsObject</var>'s embedder policy.

<li>
<p>If <var>request</var>'s <a for=request>origin</a> is <a>same origin</a> with
<var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>, then return
<b>allowed</b>.
<p>If the <a>cross-origin resource policy internal check</a> with <var>origin</var>,
"<code>unsafe-none</code>", <var>response</var>, and <var>forNavigation</var> returns
<b>blocked</b>, then return <b>blocked</b>.

<p class="note no-backref">While redirects that carry a
`<a http-header><code>Cross-Origin-Resource-Policy</code></a>` header are checked, redirects
without such a header resulting in <var>response</var> do not affect the outcome as the default is
<b>allowed</b>.
<!-- This changes with COEP's cross-origin value. -->
<p class="note">This step is needed because we don't want to report violations not related to
Cross-Origin Embedder Policy below.

<li><p>If the <a>cross-origin resource policy internal check</a> with <var>origin</var>,
<var>embedderPolicy</var>'s report only value, <var>response</var>, and <var>forNavigation</var>
returns <b>blocked</b>, then <a>queue a cross-origin embedder policy CORP violation report</a>
with <var>response</var>, <var>settingsObject</var>, and true.

<li><p>If the <a>cross-origin resource policy internal check</a> with <var>origin</var>,
<var>embedderPolicy</var>'s value, <var>response</var>, and <var>forNavigation</var> returns
<b>allowed</b>, then return <b>allowed</b>.

<li><p><a>Queue a cross-origin embedder policy CORP violation report</a> with <var>response</var>,
<var>settingsObject</var>, and false.

<li><p>Return <b>blocked</b>.
</ol>

<p class="note no-backref">Only HTML's navigate algorithm uses this check with
<var>forNavigation</var> set to true, and it's always for nested navigations. Otherwise,
<var>response</var> is either the <a for=internal>internal response</a> of an
<a>opaque filtered response</a> or a <a for=/>response</a> which will be the
<a for=internal>internal response</a> of an
<a>opaque filtered response</a>. [[HTML]]

<p>To perform a <dfn>cross-origin resource policy internal check</dfn>, given an
<a for=url>origin</a> <var>origin</var>, an embedder policy value <var>embedderPolicyValue</var>,
a <a for=/>response</a> <var>response</var>, and a boolean <var>forNavigation</var>, run these
steps:

<ol>
<li><p>If <var>forNavigation</var> is true and <var>embedderPolicyValue</var> is
"<code>unsafe-none</code>", then return <b>allowed</b>.

<li>
<p>Let <var>policy</var> be the result of <a for="header list">getting</a>
`<a http-header><code>Cross-Origin-Resource-Policy</code></a>` from <var>response</var>'s
<a for=response>header list</a>.

<p class=note>This means that `<code>Cross-Origin-Resource-Policy: same-site, same-origin</code>`
ends up as <b>allowed</b> below as it will never match anything. Two or more
ends up as <b>allowed</b> below as it will never match anything, as long as
<var>embedderPolicyValue</var> is "<code>unsafe-none</code>". Two or more
`<a http-header><code>Cross-Origin-Resource-Policy</code></a>` headers will have the same effect.

<li><p>If <var>policy</var> is `<code>same-origin</code>`, then return <b>blocked</b>.
<li><p>If <var>policy</var> is neither `<code>same-origin</code>`, `<code>same-site</code>`, nor
`<code>cross-origin</code>`, then set <var>policy</var> to null.

<li><p>If <var>policy</var> is null and <var>embedderPolicyValue</var> is
"<code>require-corp</code>", then set <var>policy</var> to `<code>same-origin</code>`.

<li>
<p>If the following are true
<p>Switch on <var>policy</var>:

<ul class=brief>
<li><var>request</var>'s <a for=request>origin</a> is <a>schemelessly same site</a> with
<var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>
<li><var>request</var>'s <a for=request>origin</a>'s <a for=url>scheme</a> is
"<code>https</code>" or <var>response</var>'s <a for=response>HTTPS state</a> is
"<code>none</code>"
</ul>
<dl class=switch>
<dt>null
<dt>`<code>cross-origin</code>`
<dd><p>Return <b>allowed</b>.

<dt>`<code>same-origin</code>`
<dd>
<p>If <var>origin</var> is <a>same origin</a> with <var>response</var>'s <a for=response>URL</a>'s
<a for=url>origin</a>, then return <b>allowed</b>.

<p>then return <b>allowed</b>.
<p>Otherwise, return <b>blocked</b>.

<p class=note>This prevents HTTPS responses with
`<code>Cross-Origin-Resource-Policy: same-site</code>` from being accessed without secure
transport.
<dt>`<code>same-site</code>`
<dd>
<p>If the following are true

<li><p>If <var>policy</var> is `<code>same-site</code>`, then return <b>blocked</b>.
<ul class=brief>
<li><p><var>origin</var> is <a>schemelessly same site</a> with <var>response</var>'s
<a for=response>URL</a>'s <a for=url>origin</a>

<li><p>Return <b>allowed</b>.
<li><p><var>origin</var>'s <a for=url>scheme</a> is "<code>https</code>" or
<var>response</var>'s <a for=response>HTTPS state</a> is "<code>none</code>"
</ul>

<p>then return <b>allowed</b>.

<p>Otherwise, return <b>blocked</b>.

<p class=note>`<code>Cross-Origin-Resource-Policy: same-site</code>` does not consider a
response delivered via a secure transport to match a non-secure requesting origin,
even if their hosts are otherwise same site. Securely-transported responses will only
match a securely-transported initiator.
</dl>
</ol>

<p>To <dfn>queue a cross-origin embedder policy CORP violation report</dfn>, given a
<a for=/>response</a> <var>response</var>, an <a for=/>environment settings object</a>
<var>settingsObject</var>, and a boolean <var>reportOnly</var>, run these steps:

<ol>
<li><p>Let <var>endpoint</var> be <var>settingsObject</var>'s embedder policy's
report only reporting endpoint if the <var>reportOnly</var> is true and
<var>settingsObject</var>'s embedder policy's reporting endpoint otherwise.

<li><p>Let <var>serialized url</var> be the result of
<a lt="serialize a response URL for reporting">serializing a response URL for reporting</a> with
<var>response</var>.

<li>
<p>Let <var>body</var> be a new object containing the following properties:

<table>
<thead>
<th>key
<th>value
</thead>
<tbody>
<tr>
<td>"<code>type</code>"
<td>"<code>corp</code>"
</tr>
<tr>
<td>"<code>blocked-url</code>"
<td><var>serialized url</var>
</tr>
</tbody>
</table>

<li><p><a for="reporting">Queue</a> <var>body</var> as the "<code>coep</code>"report type for
<var>endpoint</var> on <var>settingsObject</var>. [[!REPORTING]]
</ol>


<h2 id=fetching>Fetching</h2>
Expand Down Expand Up @@ -3609,9 +3680,8 @@ optionally with a <i>recursive flag</i>, run these steps:
<p>If <var>internalResponse</var>'s <a for=response>URL list</a> <a for=list>is empty</a>, then
set it to a <a for=list>clone</a> of <var>request</var>'s <a for=request>URL list</a>.

<p class=note>A <a for=/>response</a>'s <a for=response>URL list</a> will typically be empty at
this point, unless it came from a service worker, in which case it will only be empty if it was
created through <a lt="Response()" constructor><code>new Response()</code></a>.
<p class=note>A <a for=/>response</a>'s <a for=response>URL list</a> can be empty when it's for
"<code>about</code>" URLs for example.
<!-- If you are ever tempted to move this around, carefully consider responses from about URLs,
blob URLs, service workers, HTTP cache, HTTP network, etc. -->

Expand Down Expand Up @@ -3981,6 +4051,17 @@ optional <i>CORS-preflight flag</i>, run these steps:
then set <var>request</var>'s <a for=request>timing allow failed flag</a>.
</ol>

<li>
<p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>opaque</code>"
and the <a>cross-origin resource policy check</a> with <var>request</var>'s
<a for=request>origin</a>, <var>request</var>'s <a for=request>client</a>, and
<var>actualResponse</var> returns <b>blocked</b>, then return a <a>network error</a>.

<p class=note>The <a>cross-origin resource policy check</a> runs for responses coming from the
network and responses coming from the service worker. This is different from the
<a>CORS check</a>. This is because <var>request</var>'s <a for=request>client</a> and the
service worker can have different embedder policies.

<li>
<p>If <var>actualResponse</var>'s <a for=response>status</a> is a <a>redirect status</a>, then:

Expand Down Expand Up @@ -4533,13 +4614,12 @@ Range Requests</cite>. [[HTTP-RANGE]] However, this is not widely supported by b
</ol>
</ol>

<li><p>Set <var>response</var>'s <a for=response>URL list</a> to a <a for=list>clone</a> of
<var>httpRequest</var>'s <a for=request>URL list</a>.

<li><p>If <var>httpRequest</var>'s <a for=request>header list</a> <a for="header list">contains</a>
`<code>Range</code>`, then set <var>response</var>'s <a for=response>range-requested flag</a>.

<li><p>If <var>httpRequest</var>'s <a for=request>response tainting</a> is not "<code>cors</code>"
and the <a>cross-origin resource policy check</a> with <var>request</var> and <var>response</var>
returns <b>blocked</b>, then return a <a>network error</a>.

<li>
<p>If <var>response</var>'s <a for=response>status</a> is <code>401</code>,
<var>httpRequest</var>'s <a for=request>response tainting</a> is not "<code>cors</code>", the
Expand Down

0 comments on commit db9fbcd

Please sign in to comment.