Add cross-origin opener policy

camillelamy · clamy · commit 6b15e550e2db · 2020-04-22T15:18:01.000+02:00
Tests: https://github.com/web-platform-tests/wpt/tree/master/html/cross-origin-opener-policy Closes: whatwg#4580 Fix formatting issues Fix some more formatting issues Addressed code review comments Addressed comments Addressed comments
diff --git a/source b/source
@@ -2654,6 +2654,9 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
        <li><dfn data-x="concept-request-history-navigation-flag" data-x-href="https://fetch.spec.whatwg.org/#concept-request-history-navigation-flag">history-navigation flag</dfn></li>
       </ul>
      </li>
+     <li><dfn data-x="concept-header-list-get"
+     data-x-href="https://fetch.spec.whatwg.org/#concept-header-list-get">Getting a header</dfn>
+     from a header list.</li>
     </ul>
 
     <p>The following terms are defined in <cite>Referrer Policy</cite>: <ref
@@ -4021,6 +4024,20 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      <li><dfn data-x-href="https://w3c.github.io/requestidlecallback/#start-an-idle-period-algorithm">start an idle period algorithm</dfn></li>
     </ul>
    </dd>
+
+   <dt>Cross-Origin Embedder Policy</dt>
+
+   <dd>
+    <p>The following feature is defined in <cite>Cross-Origin Embedder Policy</cite>: <ref
+    spec=COEP></p>
+
+    <ul class="brief">
+     <li><dfn data-x="cross-origin-embedder-policy"
+     data-x-href="https://wicg.github.io/cross-origin-embedder-policy/#embedder-policy">embedder
+     policy</dfn></li>
+    </ul>
+   </dd>
+
   </dl>
 
   <hr>
@@ -8986,6 +9003,11 @@ partial interface <dfn id="document" data-lt="">Document</dfn> {
   data-x="concept-document-module-map">module map</dfn>, which is a <span>module map</span>,
   initially empty.</p>
 
+  <p>The <code>Document</code> has a <dfn data-dfn-for="Document"
+  data-x="concept-document-coop">cross-origin opener policy</dfn>, which is a
+  <span data-x="cross-origin-opener-policy">cross-origin opener policy</span>,
+  initially "<code data-x="">unsafe-none</code>".</p>
+
   <h4>The <code>DocumentOrShadowRoot</code> interface</h4>
 
   <p><cite>DOM</cite> defines the <code data-x="DOM
@@ -76448,13 +76470,25 @@ dictionary <dfn>DragEventInit</dfn> : <span>MouseEventInit</span> {
    settings object">setting up a window environment settings object</span> given <var>realm
    execution context</var> and <var>topLevelOrigin</var>.</p></li>
 
+   <li><p>Let <var>COOP</var> be a <span
+   data-x="cross-origin-opener-policy">cross-origin-opener-policy</span> with value "<code
+   data-x="">unsafe-none</code>".</p></li>
+
+   <li><p>If <var>creator</var> is non-null, let <var>creatorOrigin</var> be its <span>origin</span>
+   and let <var>creatorTopLevelOrigin</var> be its <span>top-level origin</span>. If
+   <var>creatorOrigin</var> is <span>same origin</span> with <var>creatorTopLevelOrigin</var>, then
+   set <var>COOP</var> to <var>creator</var>'s <span>top-level browsing context</span>'s
+   <code>Document</code>'s <span data-x="concept-document-coop">cross-origin opener
+   policy</span>.</p></li>
+
    <li><p>Let <var>document</var> be a new <code>Document</code>, marked as an <span data-x="HTML
    documents">HTML document</span> in <span>quirks mode</span>, whose <span
    data-x="concept-document-content-type">content type</span> is "<code data-x="">text/html</code>",
    <span>origin</span> is <var>origin</var>, <span>active sandboxing flag set</span> is
    <var>sandboxFlags</var>, <span data-x="concept-document-feature-policy">feature policy</span> is
-   <var>feature policy</var>, and which is both <span>ready for post-load tasks</span> and
-   <span>completely loaded</span> immediately.</p></li>
+   <var>feature policy</var>, <span data-x="concept-document-coop">cross-origin opener policy</span>
+   is <var>COOP</var>, and which is both <span>ready for post-load tasks</span> and <span>completely
+   loaded</span> immediately.</p></li>
 
    <li><p>Ensure that <var>document</var> has a single child <code>html</code> node, which itself
    has two empty child nodes: a <code>head</code> element, and a <code>body</code> element.</p></li>
@@ -77002,6 +77036,13 @@ console.assert(iframeWindow.frameElement === null);
   keys</span> to <span data-x="agent cluster">agent clusters</span>). User agents are responsible
   for collecting agent clusters when it is deemed that nothing can access them anymore.</p>
 
+  <p>A <span>browsing context group</span> has a <dfn data-x="bcg cross-origin
+  isolated">cross-origin isolated</dfn> boolean. It is initially false.</p>
+
+  <p class="XXX">The impact of <span data-x="bcg cross-origin isolated">cross-origin
+  isolated</span> is under discussion in <a href="https://github.com/whatwg/html/pull/4734">issue
+  #4734</a>.</p>
+
   <p>To <dfn data-x="creating a new browsing context group">create a new browsing context
   group</dfn>, run these steps:</p>
 
@@ -77300,6 +77341,27 @@ console.assert(iframeWindow.frameElement === null);
 
      <dd>
       <ol>
+       <li>
+        <p>If <var>current</var>'s <span>top-level browsing context</span>'s <span>active
+        document</span>'s <span data-x="cross-origin-opener-policy">cross-origin opener
+        policy</span> is "<code data-x="">same-origin</code>" or "<code
+        data-x="">same-origin-plus-COEP</code>", then:</p>
+
+        <ol>
+         <li><p>Let <var>currentDocument</var> be <var>current</var>'s
+         <span>active document</span>.</p> </li>
+
+         <li>
+          <p>If <var>currentDocument</var>'s <span>origin</span> is not <span>same origin</span>
+	  with <var>current</var>'s <span>top-level origin</span>, then set <var>noopener</var> to
+          true and <var>name</var> to "<code data-x="">_blank</code>".</p>
+
+          <p class="note">In the presence of COOP, nested documents cross-origin with their
+          top-level browsing context always set /noopener/.</p>
+         </li>
+        </ol>
+       </li>
+
        <li><p>Set <var>new</var> to true.</p></li>
 
        <li id="noopener"><p>If <var>noopener</var> is true, then set <var>chosen</var> to the result
@@ -79736,6 +79798,184 @@ interface <dfn>BarProp</dfn> {
 
 
 
+  <h3>Cross-origin opener policy</h3>
+
+  <p>A <dfn data-x="cross-origin-opener-policy">cross-origin opener policy</dfn> restricts the set
+  of <span data-x="browsing context">browsing contexts</span> which can live together in a single
+  <span>browsing context group</span>. It has one of the following values, defaulting to "<code
+  data-x="">unsafe-none</code>" unless otherwise specified:</p>
+
+  <dl>
+   <dt>"<code data-x="">unsafe-none</code>"</dt>
+
+   <dd><p>The default value of the <span data-x="cross-origin-opener-policy">cross-origin opener
+   policy</span>. <span data-x="document">Documents</span> with this policy can share their
+   <span>browsing context group</span> with any other <span>document</span> that has the same
+   policy, regardless of their <span>top-level origin</span>.</p></dd>
+
+   <dt>"<code data-x="">same-origin-allow-popups</code>"</dt>
+
+   <dd><p>When this policy is enabled, <span data-x="document">documents</span> will be placed in a
+   new <span>browsing context group</span> when their opener's <span>top-level origin</span> is not
+   same-origin with them. <span data-x="document">Documents</span> with this policy are still able
+   to open cross-origin popups in their <span>browsing context group</span>.</p></dd>
+
+   <dt>"<code data-x="">same-origin</code>"</dt>
+
+   <dd><p>When this policy is enabled on a <span>document</span>, its <span>browsing context
+   group</span> will only contain <span data-x="document">documents</span> with the same
+   <span>top-level origin</span> and the same policy.</p></dd>
+
+   <dt>"<code data-x="">same-origin-plus-COEP</code>"</dt>
+
+   <dd>
+    <p>This policy is meant to provide the highest degree of isolation to pages. When enabled on a
+    <span>document</span>, its <span>browsing context group</span> will only contain
+    <span data-x="document">documents</span> with the same <span>top-level origin</span> and the
+    same policy. The <span>browsing context group</span> will also be <span data-x="bcg cross-origin
+    isolated">cross-origin isolated</span>.</p>
+
+    <p class="note">"<code data-x="">same-origin-plus-COEP</code>" cannot be directly set via the
+    `<code data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</code>` header,  but
+    results from a combination of setting both <code data-x="">Cross-Origin-Opener-Policy:
+    same-origin</code> and <code data-x="">Cross-Origin-Embedder-Policy: require-corp</code>
+    together.</p>
+   </dd>
+  </dl>
+
+  <p>To <dfn data-x="obtain-coop">obtain a cross-origin opener policy</dfn> from a <span
+  data-x="concept-response">response</span> <var>response</var> and an <span>environment</span>
+  <var>environment</var>:</p>
+
+  <ol>
+   <li><p>Let <var>securityState</var> be the result of executing <span>Is environment
+   settings object a secure context?</span> on <var>environment</var>.</p></li>
+
+   <li><p>If <var>securityState</var> is "<code data-x="">Not Secure</code>", then return "<code
+   data-x="">unsafe-none</code>".</p> </li>
+
+   <li><p>Let <var>value</var> be the result of <span data-x="concept-header-list-get">getting
+   </span> `<code data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</code>` from
+   <var>response</var>'s <span data-x="concept-response-header-list">header list</span>.</p></li>
+
+   <li><p>If <var>value</var> is null, then return "<code data-x="">unsafe-none</code>".</p></li>
+
+   <li><p>Let <var>decodedValue</var> be the <span data-x="isomorphic decode">isomorphic
+   decoding</span> of <var>value</var></p></li>
+
+   <li><p>If <var>decodedValue</var> is not "<code data-x="">same-origin</code>" or "<code
+   data-x="">same-origin-allow-popups</code>", then return "<code
+   data-x="">unsafe-none</code>".</p></li>
+
+   <li><p>If <var>decodedValue</var> is "<code data-x="">same-origin</code>", then:</p>
+
+   <ol>
+    <li><p>Let <var>COEP</var> be the result of obtaining a <span
+    data-x="cross-origin-embedder-policy">cross-origin embedder policy</span> from
+    <var>response</var>.</p></li>
+
+    <li><p>If <var>COEP</var> is "<code data-x="">require-corp</code>", then return "<code
+    data-x="">same-origin-plus-COEP</code>".</p></li>
+   </ol>
+   </li>
+
+   <li><p>Return <var>decodedValue</var></p></li>
+  </ol>
+
+  <p>To <dfn data-x="matching-coop">match cross-origin opener policies</dfn>, given a <span
+  data-x="cross-origin-opener-policy">COOP</span> <var>A</var>, an <span>origin</span>
+  <var>originA</var>, a <span data-x="cross-origin-opener-policy">COOP</span> <var>B</var> and an
+  <span>origin</span> <var>originB</var>:</p>
+
+  <ol>
+   <li><p>If <var>A</var> is "<code data-x="">unsafe-none</code>" and <var>B</var> is "<code
+   data-x="">unsafe-none</code>", then return true.</p></li>
+
+   <li><p>If <var>A</var> or <var>B</var> is "<code data-x="">unsafe-none</code>", then return
+   false.</p></li>
+
+   <li><p>If <var>A</var> is the same value as <var>B</var> and
+   <var>originA</var> is <span>same origin</span> with <var>originB</var>, then
+   return true.</p></li>
+
+   <li><p>Return false.</p></li>
+  </ol>
+
+  <p>To <dfn data-x="obtain-browsing-context-navigation">obtain a browsing context to use for a
+  navigation response</dfn>, given a <span data-x="concept-response">response</span>
+  <var>response</var>, a <span data-x="browsing context">browsing context</span>
+  <var>browsingContext</var>, a <span>sandboxing flag set</span> <var>sandboxFlags</var>, two <span
+  data-x="origin">origins</span> <var>incumbentNavigationOrigin</var>,
+  <var>activeDocumentNavigationOrigin</var>, and a <span
+  data-x="cross-origin-opener-policy">cross-origin opener policy</span>
+  <var>responseCOOP</var>:</p>
+
+  <ol>
+   <li><p>Let <var>activeDocumentCOOP</var> be the <span data-x="concept-document-coop">
+   cross-origin opener policy</span> of <var>currentBrowsingContext</var>'s <span>active
+   document</span>.</p></li>
+
+   <li><p>If the result of <span data-x="matching-coop">matching</span>
+   <var>activeDocumentCOOP</var>, <var>activeDocumentNavigationOrigin</var>,
+   <var>responseCOOP</var> and <var>incumbentNavigationOrigin</var> is true, return
+   <var>browsingContext</var>.</p></li>
+
+   <li>
+    <p>If all of the following are true:</p>
+
+    <ul>
+     <li><p><var>currentBrowsingContext</var>'s only entry in its <span>session history</span> is
+     the <code>about:blank</code> <code>Document</code> that was added when
+     <var>browsingContext</var> was <span data-x="creating a new browsing
+     context">created</span>.</p></li>
+
+     <li><p><var>activeDocumentCOOP</var> is "<code
+     data-x="">same-origin-allow-popups</code>".</p></li>
+
+     <li><p><var>responseCOOP</var> is "<code data-x="">unsafe-none</code>".</p></li>
+    </ul>
+
+    <p>then return <var>browsingContext</var>.</p>
+   </li>
+
+   <li><p>Let <var>newBrowsingContextGroup</var> be the result of <span>creating a new
+   browsing context group</span>.</p></li>
+
+   <li><p>If <var>responseCOOP</var> is "<code data-x="">same-origin-plus-COEP</code>", then set
+   <var>newBrowsingContextGroup</var> <span data-x="bcg cross-origin isolated">cross-origin
+   isolated</span> to true.</p></li>
+
+   <li><p>Let <var>newBrowsingContext</var> be the result of <span data-x="creating a new browsing
+   context">creating a new browsingContext</span> in <var>newBrowsingContextGroup</var>.</p></li>
+
+   <li>
+    <p>If <var>sandboxFlags</var> is not empty, then:</p>
+    <ol>
+     <li><p>Assert <var>responseCOOP</var> is "<code data-x="">unsafe-none</code>".</p></li>
+
+     <li><p>Set <var>newBrowsingContext</var>'s <span>sandboxing flag set</span> to
+     <var>sandboxFlags</var>.</p></li>
+    </ol>
+   </li>
+
+   <li>
+    <p><span data-x="a browsing context is discarded">Discard</span>
+    <var>currentBrowsingContext</var>.</p>
+
+    <p class="note">This does not close <var>currentBrowsingContext</var>'s <span>browsing context
+    group</span> except if it was the sole top-level browsing context in which case it could be
+    collected</p>
+   </li>
+
+   <li><p>Return <var>newBrowsingContext</var>.</p></li>
+  </ol>
+
+  <p class="XXX">The impact of swapping browsing context groups following a navigation is not
+  defined. It is currently under discussion in <a
+  href="https://github.com/whatwg/html/issues/5350">issue 5350</a>.</p>
+
+
+
   <h3 split-filename="history" id="history">Session history and navigation</h3>
 
   <h4>The session history of browsing contexts</h4>
@@ -82091,6 +82331,45 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
     </div>
    </li>
 
+   <li><p>Let <var>incumbentCOOP</var> be "<code data-x="">unsafe-none</code>".</p></li>
+
+   <li><p>If <var>browsingContext</var> is a <span>top-level browsing context</span>, then:</p>
+
+   <ol>
+     <li><p>Set <var>incumbentCOOP</var> to the <span
+     data-x="cross-origin-opener-policy">cross-origin opener policy</span> <span
+     data-x="obtain-coop">obtained</span> given <var>response</var> and
+     <var>reservedEnvironment</var>.</p></li>
+
+     <li>
+      <p>If <var>sandboxFlags</var> is not empty and <var>incumbentCOOP</var> is not "<code
+      data-x="">unsafe-none</code>", then  <span data-x="navigate-ua-inline">display the inline
+      content with an appropriate error shown to the user</span>, with the newly created
+      <code>Document</code> object's <span>origin</span> set to a new <span
+      data-x="concept-origin-opaque">opaque origin</span>, run the <span data-x="environment
+      discarding steps">environment discarding steps</span> for <var>reservedEnvironment</var>, and
+      return.</p>
+
+      <p class="note">This results in a network error as one cannot simultaneously provide a clean
+      slate to a response using cross-origin opener policy and sandbox the result of navigating to
+      that response.</p>
+     </li>
+
+     <li><p>Let <var>newBrowsingContext</var> be the value of <span
+     data-x="obtain-browsing-context-navigation">obtaining a browsing context for the navigation
+     response</span> given <var>response</var>, <var>browsingContext</var>, <var>sandboxFlags</var>,
+     <var>incumbentNavigationOrigin</var>, <var>activeDocumentNavigationOrigin</var>, and
+     <var>incumbentCOOP</var>.</p></li>
+
+     <li><p>Let <var>browsingContextSwitch</var> be false.</p></li>
+
+     <li><p>If <var>newBrowsingContext</var> is not equal to <var>browsingContext</var>, then set
+     <var>browsingContextSwitch</var> to true.</p></li>
+
+     <li><p>Set <var>browsingContext</var> to the value of <var>newBrowsingContext</var>.</p></li>
+    </ol>
+   </li>
+
    <li><p>If <var>browsingContext</var>'s only entry in its <span>session history</span> is the
    initial <code>about:blank</code> <code>Document</code> that was added when
    <var>browsingContext</var> was <span data-x="creating a new browsing context">created</span>, and
@@ -82134,8 +82413,9 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
    data-x="concept-document-type">type</span> is <var>type</var>, <span
    data-x="concept-document-content-type">content type</span> is <var>contentType</var>,
    <span>origin</span> is <var>origin</var>, <span data-x="concept-document-feature-policy">feature
-   policy</span> is <var>featurePolicy</var>, and <span>active sandboxing flag set</span> is
-   <var>finalSandboxFlags</var>.</p></li>
+   policy</span> is <var>featurePolicy</var>, <span>active sandboxing flag set</span> is
+   <var>finalSandboxFlags</var>, and <span data-x="concept-document-coop">cross-origin opener
+   policy</span> is <var>incumbentCOOP</var>.</p></li>
 
    <li id="set-the-document's-address"><p>If <var>request</var> is non-null, then set
    <var>document</var>'s <span data-x="concept-document-url">URL</span> to <var>request</var>'s
@@ -115745,6 +116025,27 @@ interface <dfn>External</dfn> {
 
   </div>
 
+  <h3>`<dfn><code data-x="http-cross-origin-opener-policy">Cross-Origin-Opener-Policy</code></dfn>`</h3>
+
+  <p>This section describes a header for registration in the Permanent Message Header Field
+  Registry. <ref spec=RFC3864></p>
+
+  <dl>
+   <dt>Header field name:</dt>
+   <dd>Cross-Origin-Opener-Policy</dd>
+   <dt>Applicable protocol:</dt>
+   <dd>http</dd>
+   <dt>Status:</dt>
+   <dd>standard</dd>
+   <dt>Author/Change controller:</dt>
+   <dd>WHATWG</dd>
+   <dt>Specification document(s):</dt>
+   <dd>
+    This document is the relevant specification.
+   </dd>
+   <dt>Related information:</dt>
+   <dd>None.</dd>
+  </dl>
 
 
   <h2 split-filename="indices" id="index" class="no-num">Index</h2>
@@ -120276,6 +120577,10 @@ INSERT INTERFACES HERE
    <dt id="refsCOMPUTABLE">[COMPUTABLE]</dt>
    <dd>(Non-normative) <cite><a href="http://www.turingarchive.org/browse.php/B/12">On computable numbers, with an application to the Entscheidungsproblem</a></cite>, A. Turing. In <cite>Proceedings of the London Mathematical Society</cite>, series 2, volume 42, pages 230-265. London Mathematical Society, 1937.</dd>
 
+   <dt id="refsCOEP">[COEP]</dt>
+   <dd><cite><a href="https://wicg.github.io/cross-origin-embedder-policy/">Cross-Origin Embedder Policy</a></cite>, M.
+   West.</dd>
+
    <dt id="refsCOOKIES">[COOKIES]</dt>
    <dd><cite><a href="https://tools.ietf.org/html/rfc6265">HTTP State Management Mechanism</a></cite>, A. Barth. IETF.</dd>
 
