Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce Cross-Origin Embedder Policy #1516

Merged
merged 7 commits into from
Jul 8, 2020

Conversation

yutakahirano
Copy link
Contributor

@yutakahirano yutakahirano commented Jun 2, 2020

This is part of whatwg/html#5454.

  • Define embedder policy in environment settings object for service
    workers.
  • Add the CORP check in #dom-cache-matchall.

Closes #1490 and whatwg/fetch#985.


Preview | Diff

This is part of whatwg/html#5454.

 - Define embedder policy in environment settings object for service
   workers.
 - Add the CORP check in #dom-cache-matchall.
@yutakahirano
Copy link
Contributor Author

@annevk @domenic PTAL.

Some links don't work because whatwg/html#5454 has not been landed yet.

This was referenced Jun 2, 2020
docs/index.bs Outdated Show resolved Hide resolved
Copy link
Contributor

@domenic domenic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Environment settings object parts look good. I will let @annevk review the CORP check parts.

docs/index.bs Outdated Show resolved Hide resolved
docs/index.bs Outdated Show resolved Hide resolved
docs/index.bs Outdated
@@ -1863,6 +1865,8 @@ spec: webappsec-referrer-policy; urlPrefix: https://w3c.github.io/webappsec-refe
1. Let |requestResponses| be the result of running [=Query Cache=] with |r| and |options|.
1. [=list/For each=] |requestResponse| of |requestResponses|:
1. Add a copy of |requestResponse|'s response to |responses|.
1. [=list/For each=] |response| of |responses|:
1. If |response|'s [=response/type=] is "`opaque`" and [=cross-origin resource policy check=] with |response|'s [=internal/internal response=], |promise|'s [=relevant settings object=]'s [=environment settings object/origin=], and |promise|'s [=relevant settings object=] returns <b>blocked</b>, then reject |promise| with a `TypeError` and abort these steps.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this needs some updating still to account for the parameter order in Fetch. And also, one of the arguments is a policy right, not an environment settings object?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh sorry I fixed the parameter ordering. Reg: policy I think you are talking about the corp internal check, not the corp check.

docs/index.bs Outdated Show resolved Hide resolved
docs/index.bs Outdated Show resolved Hide resolved
moz-v2v-gh pushed a commit to mozilla/gecko-dev that referenced this pull request Jun 18, 2020
…RP checking in cache APIs r=dom-workers-and-storage-reviewers,perry

According to w3c/ServiceWorker#1516, Replacing RequestMode by ResponseType for CORP checking in cache.match() and cache.matchAll().

Differential Revision: https://phabricator.services.mozilla.com/D77747
xeonchen pushed a commit to xeonchen/gecko that referenced this pull request Jun 19, 2020
…RP checking in cache APIs r=dom-workers-and-storage-reviewers,perry

According to w3c/ServiceWorker#1516, Replacing RequestMode by ResponseType for CORP checking in cache.match() and cache.matchAll().

Differential Revision: https://phabricator.services.mozilla.com/D77747
domenic pushed a commit to whatwg/html that referenced this pull request Jun 25, 2020
Merges https://github.com/WICG/cross-origin-embedder-policy into HTML.

Associated PRs:

* whatwg/fetch#1030
* w3c/ServiceWorker#1516
* w3c/css-houdini-drafts#992

Fixes #5368, fixes #5634, fixes
whatwg/fetch#985, and fixes
w3c/ServiceWorker#1490.

Follow-up: #4916, #4919, #4930 #5223, and #5391. (As well as defining
cross-origin isolated, per #4732.)
@yutakahirano
Copy link
Contributor Author

Can we land this as well?

@annevk annevk requested a review from jakearchibald July 1, 2020 06:24
Copy link
Contributor

@jakearchibald jakearchibald left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. I like this pattern much more than the pattern we currently use for CSP, which is a bit hand-wavey.

@jakearchibald
Copy link
Contributor

Do we have tests for the cache API change?

@yutakahirano
Copy link
Contributor Author

Thank you!

Do we have tests for the cache API change?

Yes, as html/cross-origin-embedder-policy/*cache-storage*.https.html.

@jakearchibald jakearchibald merged commit fc328f8 into w3c:master Jul 8, 2020
mfreed7 pushed a commit to mfreed7/html that referenced this pull request Sep 11, 2020
@yutakahirano yutakahirano deleted the yhirano/coep branch February 8, 2021 11:39
Copy link

@liuchengwei555 liuchengwei555 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apple

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

cache.match() and COEP
5 participants