Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Integrate CORP and COEP #1030

Merged
merged 7 commits into from
Jun 26, 2020
+148 −40
Merged

Integrate CORP and COEP #1030

Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
f083f8c
Define "Request URL serialization for reporting"
yutakahirano May 29, 2020
db9fbcd
# This is a combination of 2 commits.
yutakahirano Jun 1, 2020
e8b90f8
fix
yutakahirano Jun 25, 2020
1ca20a9
fix
yutakahirano Jun 26, 2020
37b2bdb
fix
yutakahirano Jun 26, 2020
1e45ecd
fix
yutakahirano Jun 26, 2020
ea40eaf
fix
yutakahirano Jun 26, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 13 additions & 11 deletions fetch.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3170,13 +3170,14 @@ these steps:
Cross-Origin Embedder Policy below.

<li><p>If the <a>cross-origin resource policy internal check</a> with <var>origin</var>,
<var>embedderPolicy</var>'s report only value, <var>response</var>, and <var>forNavigation</var>
returns <b>blocked</b>, then <a>queue a cross-origin embedder policy CORP violation report</a>
with <var>response</var>, <var>settingsObject</var>, and true.
<var>embedderPolicy</var>'s <a for="embedder policy">report only value</a>, <var>response</var>,
and <var>forNavigation</var> returns <b>blocked</b>, then
<a>queue a cross-origin embedder policy CORP violation report</a> with <var>response</var>,
<var>settingsObject</var>, and true.

<li><p>If the <a>cross-origin resource policy internal check</a> with <var>origin</var>,
<var>embedderPolicy</var>'s value, <var>response</var>, and <var>forNavigation</var> returns
<b>allowed</b>, then return <b>allowed</b>.
<var>embedderPolicy</var>'s <a for="embedder policy">value</a>, <var>response</var>, and
<var>forNavigation</var> returns <b>allowed</b>, then return <b>allowed</b>.

<li><p><a>Queue a cross-origin embedder policy CORP violation report</a> with <var>response</var>,
<var>settingsObject</var>, and false.
Expand Down Expand Up @@ -4057,15 +4058,16 @@ optional <i>CORS-preflight flag</i>, run these steps:
</ol>

<li>
<p>If <var>request</var>'s <a for=request>response tainting</a> is "<code>opaque</code>"
and the <a>cross-origin resource policy check</a> with <var>request</var>'s
<a for=request>origin</a>, <var>request</var>'s <a for=request>client</a>, and
<var>actualResponse</var> returns <b>blocked</b>, then return a <a>network error</a>.
<p>If either <var>request</var>'s <a for=request>response tainting</a> or <var>response</var>'s
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I changed here because the previous logic didn't work well for responses coming from the service worker.

<a for=response>type</a> is "<code>opaque</code>", and the
<a>cross-origin resource policy check</a> with <var>request</var>'s <a for=request>origin</a>,
<var>request</var>'s <a for=request>client</a>, and <var>actualResponse</var> returns
<b>blocked</b>, then return a <a>network error</a>.

<p class=note>The <a>cross-origin resource policy check</a> runs for responses coming from the
network and responses coming from the service worker. This is different from the
<a>CORS check</a>. This is because <var>request</var>'s <a for=request>client</a> and the
service worker can have different embedder policies.
<a>CORS check</a>, as <var>request</var>'s <a for=request>client</a> and the service worker can
have different embedder policies.

<li>
<p>If <var>actualResponse</var>'s <a for=response>status</a> is a <a>redirect status</a>, then:
Expand Down