-
Notifications
You must be signed in to change notification settings - Fork 312
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce Cross-Origin Embedder Policy #1516
Conversation
This is part of whatwg/html#5454. - Define embedder policy in environment settings object for service workers. - Add the CORP check in #dom-cache-matchall.
Some links don't work because whatwg/html#5454 has not been landed yet. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Environment settings object parts look good. I will let @annevk review the CORP check parts.
docs/index.bs
Outdated
@@ -1863,6 +1865,8 @@ spec: webappsec-referrer-policy; urlPrefix: https://w3c.github.io/webappsec-refe | |||
1. Let |requestResponses| be the result of running [=Query Cache=] with |r| and |options|. | |||
1. [=list/For each=] |requestResponse| of |requestResponses|: | |||
1. Add a copy of |requestResponse|'s response to |responses|. | |||
1. [=list/For each=] |response| of |responses|: | |||
1. If |response|'s [=response/type=] is "`opaque`" and [=cross-origin resource policy check=] with |response|'s [=internal/internal response=], |promise|'s [=relevant settings object=]'s [=environment settings object/origin=], and |promise|'s [=relevant settings object=] returns <b>blocked</b>, then reject |promise| with a `TypeError` and abort these steps. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this needs some updating still to account for the parameter order in Fetch. And also, one of the arguments is a policy right, not an environment settings object?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh sorry I fixed the parameter ordering. Reg: policy I think you are talking about the corp internal check, not the corp check.
…RP checking in cache APIs r=dom-workers-and-storage-reviewers,perry According to w3c/ServiceWorker#1516, Replacing RequestMode by ResponseType for CORP checking in cache.match() and cache.matchAll(). Differential Revision: https://phabricator.services.mozilla.com/D77747
…RP checking in cache APIs r=dom-workers-and-storage-reviewers,perry According to w3c/ServiceWorker#1516, Replacing RequestMode by ResponseType for CORP checking in cache.match() and cache.matchAll(). Differential Revision: https://phabricator.services.mozilla.com/D77747
Merges https://github.com/WICG/cross-origin-embedder-policy into HTML. Associated PRs: * whatwg/fetch#1030 * w3c/ServiceWorker#1516 * w3c/css-houdini-drafts#992 Fixes #5368, fixes #5634, fixes whatwg/fetch#985, and fixes w3c/ServiceWorker#1490. Follow-up: #4916, #4919, #4930 #5223, and #5391. (As well as defining cross-origin isolated, per #4732.)
Can we land this as well? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. I like this pattern much more than the pattern we currently use for CSP, which is a bit hand-wavey.
Do we have tests for the cache API change? |
Thank you!
Yes, as html/cross-origin-embedder-policy/*cache-storage*.https.html. |
Merges https://github.com/WICG/cross-origin-embedder-policy into HTML. Associated PRs: * whatwg/fetch#1030 * w3c/ServiceWorker#1516 * w3c/css-houdini-drafts#992 Fixes whatwg#5368, fixes whatwg#5634, fixes whatwg/fetch#985, and fixes w3c/ServiceWorker#1490. Follow-up: whatwg#4916, whatwg#4919, whatwg#4930 whatwg#5223, and whatwg#5391. (As well as defining cross-origin isolated, per whatwg#4732.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Apple
This is part of whatwg/html#5454.
workers.
Closes #1490 and whatwg/fetch#985.
Preview | Diff