fix

whatwg · May 21, 2020 · 48d6105 · 48d6105
1 parent 158c73d
commit 48d6105
Showing 1 changed file with 127 additions and 2 deletions.
diff --git a/source b/source
@@ -81836,6 +81836,34 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
     </ol>
    </li>
 
+   <li>
+    <p>If <var>browsingContext</var> is a <span>child browsing context</span>:</p>
+
+    <ol>
+     <li><p>Let <var>request for CORP check</var> be a copy of <var>request</var>.</p></li>
+
+     <li><p>Set <var>request for CORP check</var>'s
+     <span data-x="concept-request-origin">origin</span> to <var>browsingContext</var>'s
+     <span data-x="bc-container-document">container document</span>'s <span>origin</span>.</p></li>
+
+     <li><p>Set <var>request for CORP check</var>'s
+     <span data-x="concept-request-client">client</span> to
+     <var>browsingContext</var>'s <span data-x="bc-container-document">container document</span>'s
+     <span>relevant settings object</span>.</p></li>
+
+     <li>
+      <p>If the result of <span>cross-origin resource policy check</span> with <var>request for CORP
+      check</var> and <var>response</var> is <code data-x="">blocked</code>, then set
+      <var>response</var> to a <span>network error</span>.</p>
+
+      <p class="note">Here we're running the <span>cross-origin resource policy check</span> against
+      the <span>parent browsing context</span> rather than <var>sourceBrowsingContext</var>. This is
+      because we do care about the same-originness of the embedded content against the parent
+      context, not the navigation source.</p>
+     </li>
+    </ol>
+   </li>
+
    <li><p>If <var>response</var> has a <span data-x="concept-response-location-url">location
    URL</span> that is failure, then set <var>response</var> to a <span>network
    error</span>.</p></li>
@@ -81923,6 +81951,97 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
    <var>activeDocumentNavigationOrigin</var>, and <var>reservedEnvironment</var>.</p></li>
   </ol>
 
+  <p>To <dfn>queue a Cross-Origin Embedder Policy violation on navigation</dfn> given a
+  <span data-x="concept-request">request</span>(<var>request</var>), a string(<var>endpoint</var>)
+  and an <span>environment settings object</span>(<var>settings</var>), run the following
+  steps:</p>
+
+  <ol>
+   <li>
+    <p>Let <var>blocked url</var> be <var>request</var>'s
+    <span data-x="concept-request-url">URL</span>.</p>
+
+    <p class="note">This is not <var>request</var>'s
+    <span data-x="concept-request-current-url">current URL</span> in order to avoid leaking
+    information about redirect targets (see
+    <a href="https://w3c.github.io/webappsec-csp/#security-violation-reports">here</a> too).</p>
+   </li>
+
+   <li><p>Set <var>blocked url</var>'s <span data-x="concept-url-username">username</span>
+   to the empty string, and its <span data-x="concept-url-password">password</span> to
+   <code data-x="">null</code>.</p></li>
+
+   <li><p>Let <var>serialized blocked url</var> be <var>blocked url</var>
+   <span data-x="concept-url-serializer">serialized</span> with the <code data-x="">exclude fragment
+   flag</code> set.</p></li>
+
+   <li>
+    <p>Let <var>body</var> be a new object containing the following properties with keys:</p>
+
+    <table class="data">
+     <thead>
+      <tr>
+       <th>key</th>
+       <th>value</th>
+      </tr>
+     </thead>
+     <tbody>
+      <tr>
+      <td>type</td>
+       <td>"<code data-x="">navigation</code>"</td>
+      </tr>
+      <tr>
+       <td>blocked-url</td>
+       <td><var>serialized blocked url</var></td>
+      </tr>
+     </tbody>
+    </table>
+   </li>
+
+   <li><p><span data-x="queue a report">Queue</span> <var>body</var> as
+   "<code data-x="">coep</code>" for <var>endpoint</var> on <var>settings</var>.
+  </ol>
+
+  <p>To <dfn>check a navigation response's adherence to its embedder policy</dfn> given a
+  <span data-x="concept-request">request</span>(<var>request</var>), a
+  <span data-x="concept-response">response</span>(<var>response</var>), and a
+  <span>browsing context</span>(<var>target</var>), run the following steps:</p>
+
+  <ol>
+   <li><p>Return <code data-x="">allowed</code> if <var>target</var> is not a <span>child browsing
+   context</span>.</p></li>
+
+   <li><p>Let <var>response policy</var> be the result of
+   <span data-x="obtain an embedder policy">obtaining an embedder policy</span> from
+   <var>response</var>.</p></li>
+
+   <li><p>Let <var>parent policy</var> be <var>target</var>'s
+   <span data-x="bc-container-document">container document</span>'s
+   <span data-x="concept-document-embedder-policy">embedder policy</span>.</p></li>
+
+   <li><p>If <var>parent policy</var>'s <span data-x="embedder-policy-report-only-value">report
+   only value</span> is "<code data-x="">require-corp</code>" and <var>response policy</var>'s
+   <span data-x="embedder-policy-value">value</span> is "<code data-x="">unsafe-none</code>",
+   then <span>queue a Cross-Origin Embedder Policy violation on navigation</span>
+   with <var>request</var>, <var>parent policy</var>'s <span
+   data-x="embedder-policy-report-only-reporting-endpoint">report only reporting endpoint</span>
+   and <var>target</var>'s <span data-x="bc-container-document">container document</span>'s
+   <span>relevant settings object</span>.</p></li>
+
+   <li><p>If <var>parent policy</var>'s <span data-x="embedder-policy-value">value</span> is
+   "<code data-x="">unsafe-none</code>" or <var>policy</var>'s
+   <span data-x="embedder-policy-value">value</span> is "<code data-x="">require-corp</code>",
+   then return <code data-x="">allowed</code>.</p></li>
+
+   <li><p><span>Queue a Cross-Origin Embedder Policy violation on navigation</span>
+   with <var>request</var>, <var>parent policy</var>'s
+   <span data-x="embedder-policy-reporting-endpoint">reporting endpoint</span> and
+   <var>target</var>'s <span data-x="bc-container-document">container document</span>'s
+   <span>relevant settings object</span>.</p></li>
+
+   <li><p>Return <code data-x="">blocked</code>.</p></li>
+  </ol>
+
   <p>To <dfn data-export="">process a navigate response</dfn>, given null or a <span
   data-x="concept-request">request</span> <var>request</var>, a <span
   data-x="concept-response">response</span> <var>response</var>, a string <var>navigationType</var>,
@@ -81952,6 +82071,11 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
      data-x="">Blocked</code>" when executed upon <var>request</var>, <var>response</var>,
      <var>navigationType</var>, <var>source</var>, and <var>browsingContext</var>. <ref
      spec="CSP"></p></li>
+
+     <li><p>The result of <span
+     data-x="check a navigation response's adherence to its embedder policy">checking a
+     navigation response's adherence to its embedder policy</span> with <var>request</var>,
+     <var>response</var> and <var>browsingContext</var> is <code data-x="">blocked</code>.
     </ul>
 
     <p class="note">This is where the network errors defined and propagated by <cite>Fetch</cite>,
@@ -97978,7 +98102,8 @@ interface <dfn>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope</span> {
 
   <p>To <dfn>queue a Cross-Origin Embedder Policy violation on worker initialization</dfn> given a
   <span data-x="concept-request">request</span>(<var>request</var>), a string(<var>endpoint</var>)
-  and an <span>environment settings object</span>(settings), run the following steps.</p>
+  and an <span>environment settings object</span>(<var>settings</var>), run the following
+  steps.</p>
 
   <ol>
    <li>
@@ -97996,7 +98121,7 @@ interface <dfn>SharedWorkerGlobalScope</dfn> : <span>WorkerGlobalScope</span> {
    <code data-x="">null</code>.</p></li>
 
    <li><p>Let <var>serialized blocked url</var> be <var>blocked url</var>
-   <span data-x="concept-url-serializer">serialized</span>with the <code data-x="">exclude fragment
+   <span data-x="concept-url-serializer">serialized</span> with the <code data-x="">exclude fragment
    flag</code> set.</p></li>
 
    <li>