-
Notifications
You must be signed in to change notification settings - Fork 332
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revisit destination
for <iframe>
, <frame>
, <embed>
, and <object>
.
#948
Conversation
I'll follow this up with an HTML patch in a moment. |
Currently, top-level and nested navigations set a request destination of "document" when performing the "process a navigate fetch" algorithm. This patch follows whatwg/fetch#948, splitting "document" into "frame" and "iframe" for nested navigation requests.
fetch.bs
Outdated
or "<code>worker</code>". | ||
whose <a for=request>destination</a> is "<code>document</code>", "<code>frame</code>", | ||
"<code>iframe</code>", "<code>report</code>", "<code>serviceworker</code>", | ||
"<code>sharedworker</code>", or "<code>worker</code>". |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This isn't accurate anymore. Currently for embed/object the destination would be document if they have a browsing context that is navigated and they would end up classified here as a non-subresource request.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Currently, embed
and object
are "potential-navigation-or-subresource" requests, and don't get categorized into either "subresource" or "non-subresource". I don't think this patch changes that.
Looking at "display a plugin", it looks like <embed>
and <object>
will always create a nested browsing context. Is that how we're categorizing "subresource" vs "non-subresource"? If so, then I agree that it seems like we should lump them into the "non-subresource" bucket.
It's not clear to me what the impact is there, though. Where is "non-subresource request" used?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My understanding is that embed
(and object
) are initially no-cors / embed, but change to navigate / document the moment they display a non-XXX resource (maybe XXX is only images?) and instantiate a nested browsing context.
https://w3c.github.io/ServiceWorker/ uses non-subresource.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As far as Fetch is concerned, I think <embed>
and <object>
are both always no-cors
/ {embed
,object
}.
Tracing through from https://html.spec.whatwg.org/#the-embed-element-setup-steps:
- Step 3.4 fetches with
no-cors
/embed
. - Step 3.4.3 switches on the type of the response (in a way that I'm not sure matches implementations; both Firefox and Chrome render
text/html
, for instance) to either display a plugin or navigate to the response. - Displaying a plugin drops any nested browsing context in step 1, and hand-waves at finding a plugin for the response type.
- Navigating to the response does not re-fetch with
navigation
/document
; it navigates to the response that was given for theno-cors
/embed
fetch above.
<object>
looks pretty similar, though more capacious with regard to the types it handles specially.
(It's probably worth reevaluating all of this complexity in the light of Flash's impending death. Perhaps we can make <object>
and <embed>
act like strangely-spelled <iframe>
s at some point?)
https://w3c.github.io/ServiceWorker/ uses non-subresource.
https://w3c.github.io/ServiceWorker/#on-fetch-request-algorithm uses "non-subresource request" only after punting entirely on "potential-navigation-or-subresource" requests, which means that the categorization would have no practical effect there.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you navigate a browsing context whose owner is embed
, how does it end up with no-cors
/ embed
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm a little worried it's gonna linger and never get fixed, despite being somewhat important from an interoperability perspective.
And note that before it'd go from no-cors/embed to navigate/document and that is being changed too.
I agree that we should fix it in the spec and lock it in with tests. I'm not sure this patch is the right place to do it, given how simple it is today, and how not-simple I think the <embed>
change is going to be more generally. :)
If you'd prefer one big patch that addresses <embed>
/<object>
/<frame>
/<iframe>
all together, I'll do that! But I think I'd prefer to just land this and the associated HTML PR, and worry about <embed>
and <object>
in a subsequent set of PRs.
And given that it also changes for iframe et al, there needs to be an associated HTML PR already for this change.
whatwg/html#4976 is that change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I might be missing something, but apart from the tests I don't think it's as big of a change on this side? The HTML side would require a lot of work, but not sure all of that is blocking given the many issues embed/object have already.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Step 5 of main fetch (https://fetch.spec.whatwg.org/#main-fetch) has pretty different behavior between "navigate" and "no-cors". I think it'll turn out to be incorrect for the initial request from <embed>
, but I haven't through through what needs to change (or whether I'm even correct that it does need to change).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(There's also a minor MIME type change in step 1.3.2 of Fetching (https://fetch.spec.whatwg.org/#fetching), but that's likely not a big deal to change.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, what Accept
should say.
@annevk noted in whatwg/fetch#948 (comment) that it was possible to navigate an `<embed>` after it loads. I think we should probably figure out how to make that navigation show up with a destination of `embed` and a mode of `no-cors`. Surprisingly, that seems to be what we're sending via Fetch Metadata. I suspect it's not what the underlying `fetch()` API would show in a service worker. Bug: 1011763 Change-Id: I0156b2b1b467c914b15f6af50dfa37ce74db6c62
I hesitate to accept this claim. :) Per spec, you're probably right. But short of auditing Chromium's plugin loading code, I'm not sure that it's practically the case in that engine. The code is a big mess, and it's not clear to me that it couldn't backslide into having an effect on the document in which it's embedded. I really can't wait until we can lock most of the weirdness behind a PPAPI flag for enterprise. I'm willing to be convinced that |
Wouldn't that end up affecting other parts of the system in weird ways? E.g., how a service worker is selected to handle the request? And is |
@annevk noted in whatwg/fetch#948 (comment) that it was possible to navigate an `<embed>` after it loads. In this case, it seems safest to ensure that this navigation shows up with a destination of `embed` and a mode of `no-cors`. That seems to be what we're sending today via Fetch Metadata, so let's lock it in via this patch's tests. I suspect it's not what the underlying `fetch()` API would show in a service worker, but we can deal with that in a separate patch. Bug: 1011763 Change-Id: I0156b2b1b467c914b15f6af50dfa37ce74db6c62
The way things are specified today, I'm not sure any of our current behaviors around this space are correct. :) What would you like the behavior to be for Service Workers? Could we treat cc @jakearchibald who possibly has opinions.
My assumption is that |
If A frames B using |
The conversation in whatwg/fetch#948 makes me curious about how locked-in we are to the existing behavior around both `<embed>` and `<object>` when used for non-plugin content. They're basically strange `<iframe>`s, and it might be reasonable to push them closer towards _being_ `<iframe>` elements, or to push them further away, depending on how usage numbers look. Change-Id: I843ae37ae74033fdb3ea9b920ce3932004a067b0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1847291 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/master@{#703722}
@annevk noted in whatwg/fetch#948 (comment) that it was possible to navigate an `<embed>` after it loads. In this case, it seems safest to ensure that this navigation shows up with a destination of `embed` and a mode of `no-cors`. That seems to be what we're sending today via Fetch Metadata, so let's lock it in via this patch's tests. I suspect it's not what the underlying `fetch()` API would show in a service worker, but we can deal with that in a separate patch. Bug: 1011763 Change-Id: I0156b2b1b467c914b15f6af50dfa37ce74db6c62 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1844996 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/master@{#705518}
@annevk noted in whatwg/fetch#948 (comment) that it was possible to navigate an `<embed>` after it loads. In this case, it seems safest to ensure that this navigation shows up with a destination of `embed` and a mode of `no-cors`. That seems to be what we're sending today via Fetch Metadata, so let's lock it in via this patch's tests. I suspect it's not what the underlying `fetch()` API would show in a service worker, but we can deal with that in a separate patch. Bug: 1011763 Change-Id: I0156b2b1b467c914b15f6af50dfa37ce74db6c62 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1844996 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/master@{#705518}
My reading of the service worker spec is that we skip the service worker for these requests. But I don't know if that's what vendors actually implement. Pinging @jakearchibald again who might have opinions (and data?). @arturjanc apparently has the plague today, but when he recovers, he might be able to weigh in on the threat model around (In the hopes of avoiding surprise, I currently think that this is the last open question we need to answer before shipping a first pass at |
@annevk noted in whatwg/fetch#948 (comment) that it was possible to navigate an `<embed>` after it loads. In this case, it seems safest to ensure that this navigation shows up with a destination of `embed` and a mode of `no-cors`. That seems to be what we're sending today via Fetch Metadata, so let's lock it in via this patch's tests. I suspect it's not what the underlying `fetch()` API would show in a service worker, but we can deal with that in a separate patch. Bug: 1011763 Change-Id: I0156b2b1b467c914b15f6af50dfa37ce74db6c62 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1844996 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Daniel Vogelheim <vogelheim@chromium.org> Cr-Commit-Position: refs/heads/master@{#705518}
I'm really curious whether we skip service workers once a browsing context is established there. I'd like to see that tested at least. From Firefox's perspective solving |
They do match our mental model: we expect developers to focus on blocking cross-site One counterexample could be sites that don't care about XS-Leaks but want to more tightly control navigations to defend from XSS and e.g. prevent cross-site navigations to anything but a tightly controlled set of application endpoints. But for this -- less common -- scenario developers already have Overall, I like the model of having initial loads via |
@annevk I think you would be happy with this too, given your comments in #948 (comment). Is that still your preference? I don't think this distinction will be easy to implement in Chromium, given the way For clarity, I think we're saying that the initial request from
and subsequent requests from
|
The way the standard describes
And then once there is a browsing context, you'd navigate that normally. It's surprising that Chrome has apparently a very different model from this. I haven't checked with folks familiar with Gecko's loading code recently, but I'm pretty sure the above is somewhat accurate for Gecko (now whether it's easy to get the right values might still be up for debate there of course). |
Chromium is nothing if not surprising. The challenge I'm thinking of is that we're currently keying the |
I'm a little lost about what's trying to be achieved here, so I'm sorry if this is useless: With service worker, we're happy for a service worker to intercept a request for A service worker on This means requests which form a client (which have their own CSP, and run against a particular origin based on their final request), will go through a service worker that matches the request scope, rather than the controller of the client that initiated the request. This all works nicely because we can tell if a response is going to be used to create a client based on the destination. An We punted on If we can guarantee in advance whether a |
@mikewest so |
No. We do the same thing as we do for more general navigation to an image resource: synthesize an
I'm not sure what you mean here? We use the origin of the resource as the browsing context's origin, and access controls flow naturally from that. |
Very interesting, but there's no initial about:blank it seems, so there's no exposed browsing context (e.g., via I'm not sure what we want to do in that case. cc @bzbarsky |
I think that's correct. If/when we actually get rid of plugins, it might be reasonable to make Implementation details to the side, does the behavior in #948 (comment) seem reasonable to you? If so, I'll figure out how to make it work in HTML and Chromium. |
If Firefox is okay with moving slowly towards making |
I think my original proposal was I don't think it makes a huge difference either way, as @arturjanc and team would just need to look at the destination in addition to the mode for navigation requests, which they already need to do for Better documentation and example code might help mitigate that risk? I can live with either, I think. |
They have quite different layout behavior in the image case, no? Including in Chrome.
What web-observables would this actually affect? Ignoring for the moment plug-ins (let's pretend we killed them already), there are basically two cases for embed/object in the spec and in Gecko's implementation right now: document and image. Which case we're in is decided based on the MIME type of the last load triggered via the "src"/"data" attribute respectively. If you set the relevant attr to a URL that returns a non-image MIME type that the browser is able to render, you get a browsing context (once we get the headers from the server) and general iframe-like layout behavior. The resulting browsing context can be navigated via its If you set the relevant attr to a URL that returns an image MIME type, we don't create a browsing context at all. We just have the image data (like |
That's true, my claim earlier in the thread was incorrect: on testing again, I realize that Chrome has exactly the difference in behavior you're describing for Still, both cases run through the same navigation architecture in Chrome, and we make a decision about whether to commit into a new browsing context vs. render the result. I suspect that the cases in which the image-like display nature you're pointing to is something we could change if we wanted to simplify the model. Based on the same (sketchy because Canary) data source as above, <0.0001% of page views contain either |
Step 13 of https://w3c.github.io/ServiceWorker/#on-fetch-request-algorithm should exclude `embed` and `object` requests from Service Workers. Our implementation handles this correctly for the initial request, but failed to bypass the Service Worker for subsequent navigations. This patch adds a destination check to `ServiceWorkerMainResourceLoaderInterceptor::ShouldCreateForNavigation`, and ensures that the `destination` for a given request is set early enough in the lifecycle to ensure that the check succeeds. See also whatwg/fetch#948. Change-Id: I21a1d37da438e1d0f185696f2b3b4058bc3911fc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2209456 Reviewed-by: Matt Falkenhagen <falken@chromium.org> Reviewed-by: Tsuyoshi Horo <horo@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Ben Kelly <wanderview@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#773781}
Step 13 of https://w3c.github.io/ServiceWorker/#on-fetch-request-algorithm should exclude `embed` and `object` requests from Service Workers. Our implementation handles this correctly for the initial request, but failed to bypass the Service Worker for subsequent navigations. This patch adds a destination check to `ServiceWorkerMainResourceLoaderInterceptor::ShouldCreateForNavigation`, and ensures that the `destination` for a given request is set early enough in the lifecycle to ensure that the check succeeds. See also whatwg/fetch#948. Change-Id: I21a1d37da438e1d0f185696f2b3b4058bc3911fc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2209456 Reviewed-by: Matt Falkenhagen <falken@chromium.org> Reviewed-by: Tsuyoshi Horo <horo@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Ben Kelly <wanderview@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#773781}
Step 13 of https://w3c.github.io/ServiceWorker/#on-fetch-request-algorithm should exclude `embed` and `object` requests from Service Workers. Our implementation handles this correctly for the initial request, but failed to bypass the Service Worker for subsequent navigations. This patch adds a destination check to `ServiceWorkerMainResourceLoaderInterceptor::ShouldCreateForNavigation`, and ensures that the `destination` for a given request is set early enough in the lifecycle to ensure that the check succeeds. See also whatwg/fetch#948. Change-Id: I21a1d37da438e1d0f185696f2b3b4058bc3911fc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2209456 Reviewed-by: Matt Falkenhagen <falken@chromium.org> Reviewed-by: Tsuyoshi Horo <horo@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Ben Kelly <wanderview@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#773781}
…bypasses Service Workers., a=testonly Automatic update from web-platform-tests Ensure that <object>/<embed> navigation bypasses Service Workers. Step 13 of https://w3c.github.io/ServiceWorker/#on-fetch-request-algorithm should exclude `embed` and `object` requests from Service Workers. Our implementation handles this correctly for the initial request, but failed to bypass the Service Worker for subsequent navigations. This patch adds a destination check to `ServiceWorkerMainResourceLoaderInterceptor::ShouldCreateForNavigation`, and ensures that the `destination` for a given request is set early enough in the lifecycle to ensure that the check succeeds. See also whatwg/fetch#948. Change-Id: I21a1d37da438e1d0f185696f2b3b4058bc3911fc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2209456 Reviewed-by: Matt Falkenhagen <falken@chromium.org> Reviewed-by: Tsuyoshi Horo <horo@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Ben Kelly <wanderview@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#773781} -- wpt-commits: 51e3a46a45c3a3ff3c934246d6de70fa3e63c7e9 wpt-pr: 23706
…bypasses Service Workers., a=testonly Automatic update from web-platform-tests Ensure that <object>/<embed> navigation bypasses Service Workers. Step 13 of https://w3c.github.io/ServiceWorker/#on-fetch-request-algorithm should exclude `embed` and `object` requests from Service Workers. Our implementation handles this correctly for the initial request, but failed to bypass the Service Worker for subsequent navigations. This patch adds a destination check to `ServiceWorkerMainResourceLoaderInterceptor::ShouldCreateForNavigation`, and ensures that the `destination` for a given request is set early enough in the lifecycle to ensure that the check succeeds. See also whatwg/fetch#948. Change-Id: I21a1d37da438e1d0f185696f2b3b4058bc3911fc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2209456 Reviewed-by: Matt Falkenhagen <falken@chromium.org> Reviewed-by: Tsuyoshi Horo <horo@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Ben Kelly <wanderview@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#773781} -- wpt-commits: 51e3a46a45c3a3ff3c934246d6de70fa3e63c7e9 wpt-pr: 23706
I believe the tests have landed. Can this be merged now? |
As discussed in w3c/webappsec-fetch-metadata#45, this patch splits the `document` destination into `document`, `frame`, and `iframe`. These destinations distinguish top-level navigation from nested navigation, and exposing this data via `Sec-Fetch-Dest` will allow developers to better understand the nature of a request. This patch also redefines "navigation request" and "non-subresource request" to include `embed` and `object` destinations as a consequence of the conversation in [1], which will also change the `mode` of those requests from `no-cors` to `navigate` [2]. These changes are covered by WPT in //fetch/metadata, specifically [3], [4], [5], and [6]. [1]: #948 (comment) [2]: https://github.com/whatwg/html/pull/4976/files [3]: https://github.com/web-platform-tests/wpt/blob/master/fetch/metadata/embed.tentative.https.sub.html [4]: https://github.com/web-platform-tests/wpt/blob/master/fetch/metadata/object.tentative.https.sub.html [5]: https://github.com/web-platform-tests/wpt/blob/master/fetch/metadata/iframe.tentative.https.sub.html [6]: https://github.com/web-platform-tests/wpt/blob/master/fetch/metadata/navigation.tentative.https.sub.html
d91d0ea
to
939613d
Compare
Can someone review my nit?
|
…bypasses Service Workers., a=testonly Automatic update from web-platform-tests Ensure that <object>/<embed> navigation bypasses Service Workers. Step 13 of https://w3c.github.io/ServiceWorker/#on-fetch-request-algorithm should exclude `embed` and `object` requests from Service Workers. Our implementation handles this correctly for the initial request, but failed to bypass the Service Worker for subsequent navigations. This patch adds a destination check to `ServiceWorkerMainResourceLoaderInterceptor::ShouldCreateForNavigation`, and ensures that the `destination` for a given request is set early enough in the lifecycle to ensure that the check succeeds. See also whatwg/fetch#948. Change-Id: I21a1d37da438e1d0f185696f2b3b4058bc3911fc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2209456 Reviewed-by: Matt Falkenhagen <falken@chromium.org> Reviewed-by: Tsuyoshi Horo <horo@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Ben Kelly <wanderview@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#773781} -- wpt-commits: 51e3a46a45c3a3ff3c934246d6de70fa3e63c7e9 wpt-pr: 23706 Differential Revision: https://phabricator.services.mozilla.com/D78336
…bypasses Service Workers., a=testonly Automatic update from web-platform-tests Ensure that <object>/<embed> navigation bypasses Service Workers. Step 13 of https://w3c.github.io/ServiceWorker/#on-fetch-request-algorithm should exclude `embed` and `object` requests from Service Workers. Our implementation handles this correctly for the initial request, but failed to bypass the Service Worker for subsequent navigations. This patch adds a destination check to `ServiceWorkerMainResourceLoaderInterceptor::ShouldCreateForNavigation`, and ensures that the `destination` for a given request is set early enough in the lifecycle to ensure that the check succeeds. See also whatwg/fetch#948. Change-Id: I21a1d37da438e1d0f185696f2b3b4058bc3911fc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2209456 Reviewed-by: Matt Falkenhagen <falken@chromium.org> Reviewed-by: Tsuyoshi Horo <horo@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Ben Kelly <wanderview@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#773781} -- wpt-commits: 51e3a46a45c3a3ff3c934246d6de70fa3e63c7e9 wpt-pr: 23706 Differential Revision: https://phabricator.services.mozilla.com/D78336
Your nit LGTM, @annevk. Thank you. |
Currently, top-level and nested navigations use a request destination of "document". This splits that into "document" (top-level) and "embed", "frame", "iframe", and "object" (nested). It also makes embed/object use "navigate" as their request mode. This complements whatwg/fetch#948 (which links relevant tests).
Thanks @mikewest and @wanderview for getting this done, I think all is merged now and all relevant bugs have been filed and linked. |
As discussed in w3c/webappsec-fetch-metadata#45, this splits the "document" destination into "document", "frame", and "iframe". These destinations distinguish top-level navigation from nested navigation, and exposing this data via `Sec-Fetch-Dest` will allow developers to better understand the nature of a request. This patch also redefines "navigation request" and "non-subresource request" to include "embed" and "object" destinations as discussed at #948 (comment). That discussion also resulted in other changes: * whatwg/html#4976 * w3c/ServiceWorker#1486 Tests: * https://github.com/web-platform-tests/wpt/blob/master/fetch/metadata/embed.tentative.https.sub.html * https://github.com/web-platform-tests/wpt/blob/master/fetch/metadata/object.tentative.https.sub.html * https://github.com/web-platform-tests/wpt/blob/master/fetch/metadata/iframe.tentative.https.sub.html * https://github.com/web-platform-tests/wpt/blob/master/fetch/metadata/navigation.tentative.https.sub.html * https://github.com/web-platform-tests/wpt/blob/master/service-workers/service-worker/embed-and-object-are-not-intercepted.https.html
After whatwg/fetch#948, whatwg/fetch#993, and whatwg/html#5203, the integration with Fetch and HTML is complete. This patch points to those integration points rather than claiming that there's still work to be done. Closes #73.
After whatwg/fetch#948, whatwg/fetch#993, and whatwg/html#5203, the integration with Fetch and HTML is complete. This patch points to those integration points rather than claiming that there's still work to be done. Closes #73.
Step 13 of https://w3c.github.io/ServiceWorker/#on-fetch-request-algorithm should exclude `embed` and `object` requests from Service Workers. Our implementation handles this correctly for the initial request, but failed to bypass the Service Worker for subsequent navigations. This patch adds a destination check to `ServiceWorkerMainResourceLoaderInterceptor::ShouldCreateForNavigation`, and ensures that the `destination` for a given request is set early enough in the lifecycle to ensure that the check succeeds. See also whatwg/fetch#948. Change-Id: I21a1d37da438e1d0f185696f2b3b4058bc3911fc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2209456 Reviewed-by: Matt Falkenhagen <falken@chromium.org> Reviewed-by: Tsuyoshi Horo <horo@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Ben Kelly <wanderview@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#773781} Cr-Mirrored-From: https://chromium.googlesource.com/chromium/src Cr-Mirrored-Commit: e59cf87ae0944fd6fe3e7e013e703bd6171fe382
As discussed in w3c/webappsec-fetch-metadata#45, splitting 'document' into a set of
destination values that developers can use to determine whether the request is for
a top-level document or a nested document will allow us to simplify Fetch Metadata
checks performed server side.
Preview | Diff