Skip to content

Make "no-referrer" censor cross-document AppHistoryEntry URLs #189

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 18, 2021
Merged

Make "no-referrer" censor cross-document AppHistoryEntry URLs #189

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion app_history.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ interface AppHistoryEntryEventMap {
declare class AppHistoryEntry extends EventTarget {
readonly key: string;
readonly id: string;
readonly url: string;
readonly url: string|null;
readonly index: number;
readonly sameDocument: boolean;

Expand Down
17 changes: 15 additions & 2 deletions spec.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ spec: html; urlPrefix: https://html.spec.whatwg.org/multipage/
text: current entry; url: history.html#current-entry
for: session history entry
text: document; url: history.html#she-document
text: policy container; url: history.html#she-policy-container
text: URL; url: history.html#she-url
for: history handling behavior
text: default; url: browsing-the-web.html#hh-default
Expand All @@ -49,6 +50,8 @@ spec: html; urlPrefix: https://html.spec.whatwg.org/multipage/
text: discard; url: window-object.html#a-browsing-context-is-discarded
type: method
for: Document; text: open(unused1, unused2); url: multipage/dynamic-markup-insertion.html#dom-document-open
type: http-header
text: Cross-Origin-Opener-Policy; url: multipage/iana.html#cross-origin-opener-policy-2
spec: html; urlPrefix: https://whatpr.org/html/6315/
type: dfn
text: traversable navigable; for: navigable; url: history.html#nav-traversable
Expand Down Expand Up @@ -220,6 +223,12 @@ Each {{AppHistory}} object has an associated <dfn for="AppHistory">current index

1. Let |sessionHistory| be |appHistory|'s [=relevant global object=]'s [=Window/browsing context=]'s [=session history=].

<div class="note">
<p>It is expected that this include session history entries in the entire [=browsing session=], including those in different <a spec="HTML">browsing context groups</a> due to \`<a http-header>`Cross-Origin-Opener-Policy`</a>\`-induced switches. This will be better-defined when <a href="https://github.com/whatwg/html/pull/6315">whatwg/html#6315</a> is finalized; see also <a href="https://github.com/whatwg/html/issues/6356">whatwg/html#6356</a> for some discussion of the impact of manual navigation on this "session" concept.

<p>Note that it is OK to expose the data in these entries to the current page through {{AppHistoryEntry}} instances, since any [=session history entry/app history state=] will have been put there affirmatively, and the [=session history entry/URL=] is hidden appropriately by the {{AppHistoryEntry/url|url}} getter when the [=session history entry/document=] indicates that its URL is sensitive through the <a>"`no-referrer`"</a> [=referrer policy=].
</div>

1. Let |appHistorySHEs| be a new empty list.

1. Let |oldCurrentAHE| be the [=AppHistory/current entry=] of |appHistory|.
Expand Down Expand Up @@ -1343,7 +1352,7 @@ The <dfn attribute for="AppHistoryDestination">sameDocument</dfn> getter steps a
<xmp class="idl">
[Exposed=Window]
interface AppHistoryEntry : EventTarget {
readonly attribute USVString url;
readonly attribute USVString? url;
readonly attribute DOMString key;
readonly attribute DOMString id;
readonly attribute long long index;
Expand All @@ -1362,6 +1371,8 @@ interface AppHistoryEntry : EventTarget {
<dt><code><var ignore>entry</var>.{{AppHistoryEntry/url}}</code>
<dd>
<p>The URL of this app history entry.

<p>This can return null if the entry corresponds to a different {{Document}} than the current one (i.e. if {{AppHistoryEntry/sameDocument}} is false), and that {{Document}}'s [=policy container/referrer policy=] is <a>"`no-referrer`"</a>, since that indicates the {{Document}} in question is hiding its URL even from other same-origin pages.
</dd>

<dt><code><var ignore>entry</var>.{{AppHistoryEntry/key}}</code>
Expand Down Expand Up @@ -1419,7 +1430,9 @@ Each {{AppHistoryEntry}} has an associated <dfn for="AppHistoryEntry">index</dfn
<div algorithm>
The <dfn attribute for="AppHistoryEntry">url</dfn> getter steps are:

1. If [=this=]'s [=relevant global object=]'s [=associated Document=] is not [=Document/fully active=], then return the empty string.
1. If [=this=]'s [=relevant global object=]'s [=associated Document=] is not [=Document/fully active=], then return null.
1. Let |she| be [=this=]'s [=AppHistoryEntry/session history entry=].
1. If |she|'s [=session history entry/document=] does not equal [=this=]'s [=relevant global object=]'s [=associated Document=], and |she|'s [=session history entry/policy container=]'s [=policy container/referrer policy=] is <a>"`no-referrer`"</a>, then return null.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: no need for comma before and (while it looks like a lot of words, that's mostly in the source).

1. Return [=this=]'s [=AppHistoryEntry/session history entry=]'s [=session history entry/URL=], [=URL serializer|serialized=].
</div>

Expand Down