Spec partition nonce functionality #149
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
|
|
@@ -74,6 +74,19 @@ spec: url; for:/; type: dfn; text: url | |||||
| "deliveredBy": [ | ||||||
| "https://wicg.io/" | ||||||
| ] | ||||||
| }, | ||||||
| "iframe-credentialless": { | ||||||
| "authors": [ | ||||||
| "Arthur Sonzogni", | ||||||
| "Camille Lamy" | ||||||
| ], | ||||||
| "href": "https://wicg.github.io/anonymous-iframe/", | ||||||
| "title": "Iframe credentialless", | ||||||
| "status": "CG-DRAFT", | ||||||
| "publisher": "WICG", | ||||||
| "deliveredBy": [ | ||||||
| "https://wicg.io/" | ||||||
| ] | ||||||
| } | ||||||
| } | ||||||
| </pre> | ||||||
|
|
@@ -264,6 +277,10 @@ spec: attribution-reporting; urlPrefix: https://wicg.github.io/attribution-repor | |||||
| spec: turtledove; urlPrefix: https://wicg.github.io/turtledove/ | ||||||
| type: dfn | ||||||
| text: construct a pending fenced frame config; url: construct-a-pending-fenced-frame-config | ||||||
| spec: iframe-credentialless; urlPrefix: https://wicg.github.io/anonymous-iframe/ | ||||||
| type: dfn | ||||||
| for: navigation params | ||||||
| text: credentialless; url: navigation-params-credentialless | ||||||
| </pre> | ||||||
|
|
||||||
| <style> | ||||||
|
|
@@ -3990,6 +4007,55 @@ at the expense of some utility. | |||||
| </wpt> | ||||||
| </div> | ||||||
|
|
||||||
| <h3 id=credentialless-monkeypatch>Iframe credentialless</h3> | ||||||
|
|
||||||
| The [[!IFRAME-CREDENTIALLESS]] specification defines a new object, the [=page credentialless | ||||||
| nonce=]. At a high level, the [=fenced frame config instance/partition nonce=] serves the same | ||||||
| purpose as the [=page credentialless nonce=] (partitioning storage and network), but scoped to each | ||||||
| fenced frame rather than to each credentialless iframe. The [=fenced frame config instance/ | ||||||
| partition nonce=] is also used to revoke network access in fenced frames. Perform the following | ||||||
|
There was a problem hiding this comment.
Suggested change
|
||||||
| monkeypatches to the [[!IFRAME-CREDENTIALLESS]] spec. | ||||||
|
|
||||||
| Add the following algorithm: | ||||||
gtanzer marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
|
||||||
| <div algorithm> | ||||||
| To <dfn for="browsing context">compute the effective partition nonce</dfn> given a boolean | ||||||
| |credentialless| and [=fenced frame config instance/partition nonce=]-or-null | ||||||
| |newFencedFrameNonce|: | ||||||
|
|
||||||
| 1. If |credentialless| is true, return the associated [=browsing context=]'s [=top-level | ||||||
| browsing context=]'s [=page credentialless nonce=]. | ||||||
|
There was a problem hiding this comment. Note that the usage of "top-level browsing context" here will be fenced — is that intentional? That's because this specification does not override HTML's definition of top-level browsing context, which just iteratively reaches upward via the "parent" property, never the "unfenced parent" property. If you want the unfenced version, you'll need to grab a navigable's top-level traversable and get its browsing context and grab its page credentialless nonce. I just wanted to raise this in case it was unexpected. WDYT? It seems like this algorithm prefers:
Actually (3) above is a little confusing or surprising to me. Below on There was a problem hiding this comment. Regarding usage of "top-level browsing context:" I think this is actually intentional, looking at the Chromium implementation here
Translating that to spec world, I think getting the "top-level browsing context" is indeed what we want, rather than the "top-level traversable," because we want the "fenced" top-level frame. Regarding (3): There are a couple of situations where it's appropriate to re-use the nonce from the current browsing context: first is a content-initiated FF root navigation, and second is a subframe navigation, since I believe subframes' browsing contexts inherit the fenced frame config instance from their parent FF. I need to spend some more time looking at the navigation algorithms patched below to determine if they actually provide a null nonce in situations where the current browsing context's nonce should be re-used instead, but I wanted to get this comment written out to refer to later. There was a problem hiding this comment. Ok I think I have figured (3) For the For the |
||||||
|
|
||||||
| 1. If |newFencedFrameNonce| is not null, return |newFencedFrameNonce|. | ||||||
|
|
||||||
| 1. Let |instance| be the associated [=browsing context=]'s [=browsing context/fenced frame | ||||||
| config instance=]. | ||||||
|
|
||||||
| 1. Return |instance|'s [=fenced frame config instance/partition nonce=] if |instance| is not | ||||||
| null, and return null otherwise. | ||||||
| </div> | ||||||
|
|
||||||
| <div algorithm="process a navigate fetch"> | ||||||
| Modify the step added to <a href=https://wicg.github.io/anonymous-iframe/#spec-navigation-partition-nonce> | ||||||
| process a navigate fetch</a> to read: | ||||||
|
|
||||||
| 13. Let <var ignore>partitionNonce</var> be the result of [=browsing context/computing the | ||||||
|
There was a problem hiding this comment. Just to triple check here — the partitionNonce returned from the "computing" algorithm can be null. Can all of the consumers of this (presumably in the iframe credentialless spec) consume null in this case? Just want to make sure we're not in a position where we're passing null around to things that only accept/expect a populated nonce. There was a problem hiding this comment. The credentialless iframe spec explicitly defines a partition nonce as "an identifier or null" in the environment. In the algorithms we're changing here from the credentialless iframe spec, the partition nonce is already allowed to be null if the page credentailless nonce is missing. |
||||||
| effective partition nonce=] on <var ignore>browsingContext</var> given <var ignore> | ||||||
| credentialless</var> and <var ignore>sourceSnapshotParams</var>'s [=source snapshot params/ | ||||||
| target fenced frame config=]. | ||||||
| </div> | ||||||
|
|
||||||
| <div algorithm="initialize the document object"> | ||||||
| Modify the step added to <a href=https://wicg.github.io/anonymous-iframe/#spec-window-partition-nonce> | ||||||
| initialize the document object</a> to read: | ||||||
|
|
||||||
| 6.9. Let <var ignore>partitionNonce</var> be the result of [=browsing context/computing the | ||||||
| effective partition nonce=] on <var ignore>browsingContext</var> given |navigationParams|'s | ||||||
| [=navigation params/credentialless=] and null if |navigationParams|'s [=navigation params/ | ||||||
| fenced frame config instance=] is null else |navigationParams|'s [=navigation params/fenced | ||||||
| frame config instance=]'s [=fenced frame config instance/partition nonce=]. | ||||||
| </div> | ||||||
|
|
||||||
| <h3 id=webrtc-monkeypatch>WebRTC</h3> | ||||||
|
|
||||||
| The [[WEBRTC]] specification defines "ECMAScript APIs in WebIDL to allow media and generic | ||||||
|
|
||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is page credentialless nonce really scoped to each credentialless iframe? The definition you link to seems to be tied to a top-level browsing context, which spans many iframes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I agree this is just worded wrong; every credentialless iframe "has" a nonce, which I think was the original intention here, but the value of that nonce is scoped to the top-level document. I updated the wording here to indicate as such.