From f137c8a817a1e91a1c5e07d4864ec5e8cc17a0ac Mon Sep 17 00:00:00 2001 From: Matt Falkenhagen Date: Wed, 8 Aug 2018 16:05:07 +0900 Subject: [PATCH 1/5] Create a new reserved environment for cross-origin redirects. Previously, a navigation would create a reserved environment once, and use it for all redirects. This commit changes that so a new environment is created on a cross-origin redirect. This also runs CSP for each redirect, which is probably more correct. Per https://github.com/w3c/ServiceWorker/issues/1316 --- source | 99 ++++++++++++++++++++++++++++++++++++---------------------- 1 file changed, 62 insertions(+), 37 deletions(-) diff --git a/source b/source index a198596d40b..3e2619de504 100644 --- a/source +++ b/source @@ -82033,54 +82033,79 @@ interface Location { // but see also origin to that browsing context scope origin.

-
  • -

    Create a new environment reservedEnvironment, and set its id to a new unique opaque string, its creation URL to request's - url, and its target - browsing context to browsingContext.

    +

  • Let done be false and reservedEnvironment be null.

    • -

    The created environment's active service worker is set in the - handle fetch algorithm during the fetch if its - creation URL matches a service worker - registration.

    - +

  • Repeat the following steps until done is true:

    -

  • Set request's reserved - client to reservedEnvironment.

    • +
      +

    1. If reservedEnvironment is not null, and response's location URL does not have the + same origin as reservedEnvironment's creation URL, then:

      -
    2. -

      If the Should navigation request of type from source in target be blocked by Content - Security Policy? algorithm returns "Blocked" when executed upon - request, navigationType, sourceBrowsingContext, and - browsingContext, then set response to a network error. -

      +
        +

      1. Run the environment discarding steps for reservedEnvironment. +

        2. -

        Otherwise:

        +

      2. Set reservedEnvironment to null.

        3. +
      +
      3. -
        -

      1. Fetch request.

        2. +

      2. If reservedEnvironment is null, let reservedEnvironment be a new + environment, and set its id to a new + unique opaque string, its creation URL + to request's url, and its target browsing context to + browsingContext.

        3. -

      3. Wait for the task on the networking task - source to process response and set response to the - result.

        4. -
      - +
    3. +

      If response is not null, set reservedEnvironment's creation URL to response's location URL.

      + +

      The created environment's active service worker is set in the + Handle Fetch algorithm during the fetch if + the request URL matches a service worker registration.

      +
      4. + +

    4. Set request's reserved + client to reservedEnvironment.

      5. + +

    5. If the Should navigation request of type from source in target be blocked by Content + Security Policy? algorithm returns "Blocked" when executed upon + request, navigationType, sourceBrowsingContext, and + browsingContext, then set response to a network error, and set + done to true.

      6. + +

    6. Otherwise:

      +
        +

      1. If response is null, fetch request.

        2. +

      2. Otherwise, perform HTTP-redirect fetch using + request and response.

        3. -

      3. Wait for the task on the networking task + source to process response and set response to the + result.

        4. -

        Navigation handles redirects manually as navigation is the only place in the web - platform that cares for redirects to mailto: URLs and - such.

        +

      4. If response does not have a location URL or the location URL is not a URL whose + scheme is an HTTP(S) scheme, + then set done to true.

        5. +
      +
      7. +

      Navigation handles redirects manually as navigation is the only place in the web + platform that cares for redirects to mailto: URLs and + such.

      +
    +

  • If response has a location + URL that is failure, then set response to a network error.

    • +

  • Otherwise, if response has a location URL that is a URL whose scheme is "blob", " Date: Wed, 8 Aug 2018 16:33:06 +0900 Subject: [PATCH 2/5] Add CSP. --- source | 37 ++++++++++++++++++++++--------------- 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/source b/source index 3e2619de504..daab6f91b06 100644 --- a/source +++ b/source @@ -2830,10 +2830,13 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute data-x-href="https://fetch.spec.whatwg.org/#concept-request">request and its associated: