Specify sequence of navigation failure checks

The clause "if any of the following are true" does not indicate the intended sequence by which the subsequent conditions must be evaluated. Conforming implementations are therefore free to perform the checks in any order. However, the sequence is observable by web content because both the Content-Security Policy (CSP) check and the Cross-Origin Embedder Policy (COEP) check may trigger reporting events. The current implementation status is as follows (neither Safari nor Firefox implement COEP reporting at this time): - Chrome 86: CSP, then COEP, then X-Frame-Options - Firefox 80: CSP, then X-Frame-Options - Safari 13.1: CSP, then X-Frame-Options Standardize the sequence according to the state of the implementations.
whatwg · Aug 25, 2020 · ea6b0ca · ea6b0ca
1 parent e62f04a
commit ea6b0ca
Showing 1 changed file with 24 additions and 21 deletions.
diff --git a/source b/source
@@ -83163,30 +83163,33 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
    <li><p>Let <var>browsingContext</var> be <var>navigationParams</var>'s <span
    data-x="navigation-params-browsing-context">browsing context</span>.</p></li>
 
+   <li><p>Let <var>failure</var> be false.</p></li>
+
    <li>
-    <p>If any of the following are true:</p>
+    <p>If <var>response</var> is a <span>network error</span>, then set <var>failure</var> to
+    true.</p>
 
-    <ul>
-     <li><p><var>response</var> is a <span>network error</span>;</p></li>
-
-     <li><p>the result of <span>should navigation response to navigation request of type from source
-     in target be blocked by Content Security Policy?</span> given <var>navigationParams</var>'s
-     <span data-x="navigation-params-request">request</span>, <var>response</var>,
-     <var>navigationType</var>, <var>source</var>, and <var>browsingContext</var> is "<code
-     data-x="">Blocked</code>"; <ref spec="CSP"></p></li>
-
-     <li><p>the result of <span data-x="check a navigation response's adherence to
-     `X-Frame-Options`">checking a navigation response's adherence to
-     `<code>X-Frame-Options</code>`</span> given <var>response</var>, <var>browsingContext</var>,
-     and <var>navigationParams</var>'s <span data-x="navigation-params-origin">origin</span> is
-     false; or</p></li>
-
-     <li><p>the result of <span data-x="check a navigation response's adherence to its embedder
-     policy">checking a navigation response's adherence to its embedder policy</span> given
-     <var>response</var> and <var>browsingContext</var> is false.</p></li>
-    </ul>
+    <p>Otherwise, if the result of <span>should navigation response to navigation request of type
+    from source in target be blocked by Content Security Policy?</span> given
+    <var>navigationParams</var>'s <span data-x="navigation-params-request">request</span>,
+    <var>response</var>, <var>navigationType</var>, <var>source</var>, and
+    <var>browsingContext</var> is "<code data-x="">Blocked</code>", then set <var>failure</var> to
+    true. <ref spec="CSP"></p>
 
-    <p>then:</p>
+    <p>Otherwise, if the result of <span data-x="check a navigation response's adherence to its
+    embedder policy">checking a navigation response's adherence to its embedder policy</span> given
+    <var>response</var> and <var>browsingContext</var> is false, then set <var>failure</var> to
+    true.</p>
+
+    <p>Otherwise, if the result of <span data-x="check a navigation response's adherence to
+    `X-Frame-Options`">checking a navigation response's adherence to
+    `<code>X-Frame-Options</code>`</span> given <var>response</var>, <var>browsingContext</var>,
+    and <var>navigationParams</var>'s <span data-x="navigation-params-origin">origin</span> is
+    false, then set <var>failure</var> to true.</p>
+   </li>
+
+   <li>
+    <p>If <var>failure</var> is true, then:</p>
 
     <ol>
      <li><p><span data-x="navigate-ua-inline">Display the inline content with an appropriate error