diff --git a/spec.bs b/spec.bs index 0bacb3b..5e7c9a1 100644 --- a/spec.bs +++ b/spec.bs @@ -1258,7 +1258,7 @@ A fenced frame config is a [=struct=] with the following [=str : embedder shared storage context :: null, or a [=string=] - + : is ad component :: A [=boolean=], initially false. @@ -1314,8 +1314,11 @@ A fenced frame config instance is a [=struct=] with the follow : embedder shared storage context :: null, or a [=string=] - + : is ad component + :: A [=boolean=] + + : has disabled untrusted network :: A [=boolean=], initially false. : cross-origin reporting allowed @@ -1401,12 +1404,15 @@ A fenced frame config instance is a [=struct=] with the follow : [=fenced frame config instance/embedder shared storage context=] :: |config|'s [=fenced frame config/embedder shared storage context=] - + : [=fenced frame config instance/is ad component=] :: |config|'s [=fenced frame config/is ad component=] : [=fenced frame config instance/cross-origin reporting allowed=] :: |config|'s [=fenced frame config/cross-origin reporting allowed=] + + : [=fenced frame config instance/has disabled untrusted network=] + :: false Each [=browsing context=] has a fenced frame config instance, @@ -1687,6 +1693,7 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface. undefined reportEvent(optional ReportEventType event = {}); undefined setReportEventDataForAutomaticBeacons(optional FenceEvent event = {}); sequence<FencedFrameConfig> getNestedConfigs(); + Promise<undefined> disableUntrustedNetwork(); undefined notifyEvent(Event event); }; @@ -1921,6 +1928,103 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface. +
+ The disableUntrustedNetwork() method steps are: + + 1. Let |p| be [=a new promise=]. + + 1. Let |instance| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=]'s + [=browsing context/fenced frame config instance=]. + + 1. If the [=relevant settings object=]'s [=environment settings object/origin=] and + |instance|'s [=fenced frame config instance/mapped url=]'s [=url/origin=] are not [=same + origin=], then [=reject=] |p| with a {{TypeError}}. + + 1. If [=this=]'s [=relevant global object=]'s [=Window/navigable=]'s [=navigable/traversable + navigable=] is not a [=fenced navigable container/fenced navigable=], then [=resolve=] |p| with + {{undefined}} and return |p|. + + 1. Let |global| be [=this=]'s [=relevant global object=]. + + 1. Run the following steps [=in parallel=]: + + 1. Let |fencedFrameNonce| be |instance|'s [=fenced frame config instance/partition nonce=]. + + 1. Let |credentiallessNonce| be + + Issue: the page credentialless nonce + (WICG/fenced-frame#191) + + 1. Invoke [=revoke network for a partition nonce=] on |fencedFrameNonce|. + + 1. Invoke [=revoke network for a partition nonce=] on |credentiallessNonce|. + + 1. Set |instance|'s [=fenced frame config instance/has disabled untrusted network=] to true. + + 1. Wait on all nested fenced frames to disable network too. + + Issue: Spec this waiting more formally. + (WICG/fenced-frame#151) + + 1. [=Queue a global task=] on the [=DOM manipulation task source=] given |global|, to + [=resolve=] |p| with {{undefined}}. + + 1. Return |p|. +
+ +A user agent has an associated network revocation nonce set, which is a [=set=] of +[=partition nonces=], and a network revocation exemption map, which is a [=map=] whose +[=map/keys=] are [=partition nonces=] and [=map/values=] are [=sets=] of [=URLs=]. + +Note: The [=network revocation exemption map=] is used only for web platform tests; in normal usage +it is always empty. This list is modified directly in web platform tests by a function call to +exempt specific URLs from network revocation. + +Issue: This will require a RFC to add a test-only function to the WPT web driver. +(WICG/fenced-frame#192) + +
+ To revoke network for a partition nonce using a [=fenced frame config + instance/partition nonce=] |nonce|, run these steps: + + 1. [=set/Append=] |nonce| to the user agent's [=network revocation nonce set=]. + + 1. [=fetch group/terminated|Terminate=] [=this=]'s [=relevant settings object=]'s + [=fetch/fetch group=]. +
+ +
+ To determine whether fetching a [=request=] request must be blocked due to + a revoked partition nonce using a [=fenced frame config instance/partition nonce=] |nonce| + and a [=URL=] |requestURL|, run these steps: + + 1. If the user agent's [=network revocation exemption map=][|nonce|] [=map/exists=], and if + |requestURL| [=set/exists=] in it, return allowed. + + 1. If the user agent's [=network revocation nonce set=] [=set/contains=] |nonce|, return + blocked. + + 1. Return allowed. +
+ +

Fetch monkeypatches for network revocation

+ +The network revocation mechanism requires the following monkeypatches to the [[FETCH]] Standard. + +
+ In the [=fetch=] algorithm, step 7, where it says: + + > If should request be blocked due to a bad port, + > + > should fetching request be blocked as mixed content, or + > should request + > be blocked by Content Security Policy returns blocked, then set + > response to a network error. + + Add "[=must be blocked due to a revoked partition nonce=]" to the conditions after + "should request be blocked by Content Security Policy". +
+

New [=request=] [=request/destination=]

The processing model of a <{fencedframe}>'s navigation request deviates from that of the normal