Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spec network revocation mechanism to disable fetches #169

Merged
merged 13 commits into from
Nov 4, 2024
Merged

Spec network revocation mechanism to disable fetches #169

Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
c9cbe3f
disableUntrustedNetwork skeleton
Apr 3, 2024
39d31fb
fill out more
Apr 9, 2024
7eaf2b1
more
Apr 9, 2024
c4705a6
address comments
Apr 11, 2024
ab9785d
skeleton
Jul 10, 2024
d75f324
content done % links
Jul 17, 2024
a24cd13
Merge branch 'master' into revoke-network
blu25 Sep 12, 2024
62f3b43
add changes from other review
blu25 Sep 12, 2024
49fe6a2
address comments
blu25 Sep 12, 2024
7ec073d
Update spec.bs
blu25 Oct 4, 2024
01ee749
Merge branch 'master' into revoke-network
blu25 Oct 28, 2024
71597e8
clean up merge issues
blu25 Oct 28, 2024
f5b6b6c
remove unnecessary instance check
blu25 Nov 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
110 changes: 107 additions & 3 deletions spec.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1258,7 +1258,7 @@ A <dfn export>fenced frame config</dfn> is a [=struct=] with the following [=str

: <dfn>embedder shared storage context</dfn>
:: null, or a [=string=]

: <dfn>is ad component</dfn>
:: A [=boolean=], initially false.

Expand Down Expand Up @@ -1314,8 +1314,11 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow

: <dfn>embedder shared storage context</dfn>
:: null, or a [=string=]

: <dfn>is ad component</dfn>
:: A [=boolean=]

: <dfn>has disabled untrusted network</dfn>
:: A [=boolean=], initially false.

: <dfn>cross-origin reporting allowed</dfn>
Expand Down Expand Up @@ -1401,12 +1404,15 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow

: [=fenced frame config instance/embedder shared storage context=]
:: |config|'s [=fenced frame config/embedder shared storage context=]

: [=fenced frame config instance/is ad component=]
:: |config|'s [=fenced frame config/is ad component=]

: [=fenced frame config instance/cross-origin reporting allowed=]
:: |config|'s [=fenced frame config/cross-origin reporting allowed=]

: [=fenced frame config instance/has disabled untrusted network=]
:: false
</div>

Each [=browsing context=] has a <dfn for="browsing context">fenced frame config instance</dfn>,
Expand Down Expand Up @@ -1687,6 +1693,7 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
undefined reportEvent(optional ReportEventType event = {});
undefined setReportEventDataForAutomaticBeacons(optional FenceEvent event = {});
sequence&lt;FencedFrameConfig&gt; getNestedConfigs();
Promise&lt;undefined&gt; disableUntrustedNetwork();
undefined notifyEvent(Event event);
};
</pre>
Expand Down Expand Up @@ -1921,6 +1928,103 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
</wpt>
</div>

<div algorithm>
The <dfn method for=Fence>disableUntrustedNetwork()</dfn> method steps are:

1. Let |p| be [=a new promise=].

1. Let |instance| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=]'s
[=browsing context/fenced frame config instance=].

1. If the [=relevant settings object=]'s [=environment settings object/origin=] and
|instance|'s [=fenced frame config instance/mapped url=]'s [=url/origin=] are not [=same
origin=], then [=reject=] |p| with a {{TypeError}}.

1. If [=this=]'s [=relevant global object=]'s [=Window/navigable=]'s [=navigable/traversable
navigable=] is not a [=fenced navigable container/fenced navigable=], then [=resolve=] |p| with
{{undefined}} and return |p|.

1. Let |global| be [=this=]'s [=relevant global object=].

1. Run the following steps [=in parallel=]:

1. Let |fencedFrameNonce| be |instance|'s [=fenced frame config instance/partition nonce=].

1. Let |credentiallessNonce| be

Issue: the page credentialless nonce
(<a href="https://github.com/WICG/fenced-frame/issues/191">WICG/fenced-frame#191</a>)

1. Invoke [=revoke network for a partition nonce=] on |fencedFrameNonce|.

1. Invoke [=revoke network for a partition nonce=] on |credentiallessNonce|.

1. Set |instance|'s [=fenced frame config instance/has disabled untrusted network=] to true.

1. Wait on all nested fenced frames to disable network too.

Issue: Spec this waiting more formally.
(<a href="https://github.com/WICG/fenced-frame/issues/151">WICG/fenced-frame#151</a>)

1. [=Queue a global task=] on the [=DOM manipulation task source=] given |global|, to
[=resolve=] |p| with {{undefined}}.

1. Return |p|.
</div>

A user agent has an associated <dfn>network revocation nonce set</dfn>, which is a [=set=] of
[=partition nonces=], and a <dfn>network revocation exemption map</dfn>, which is a [=map=] whose
[=map/keys=] are [=partition nonces=] and [=map/values=] are [=sets=] of [=URLs=].

Note: The [=network revocation exemption map=] is used only for web platform tests; in normal usage
it is always empty. This list is modified directly in web platform tests by a function call to
exempt specific URLs from network revocation.

Issue: This will require a RFC to add a test-only function to the WPT web driver.
(<a href="https://github.com/WICG/fenced-frame/issues/192">WICG/fenced-frame#192</a>)

<div algorithm>
To <dfn>revoke network for a partition nonce</dfn> using a [=fenced frame config
instance/partition nonce=] |nonce|, run these steps:

1. [=set/Append=] |nonce| to the user agent's [=network revocation nonce set=].

1. [=fetch group/terminated|Terminate=] [=this=]'s [=relevant settings object=]'s
[=fetch/fetch group=].
</div>

<div algorithm>
To determine whether fetching a [=request=] <var ignore>request</var> <dfn>must be blocked due to
a revoked partition nonce</dfn> using a [=fenced frame config instance/partition nonce=] |nonce|
and a [=URL=] |requestURL|, run these steps:

1. If the user agent's [=network revocation exemption map=][|nonce|] [=map/exists=], and if
|requestURL| [=set/exists=] in it, return <b>allowed</b>.

1. If the user agent's [=network revocation nonce set=] [=set/contains=] |nonce|, return
<b>blocked</b>.

1. Return <b>allowed</b>.
</div>

<h3 id=disable-fetch>Fetch monkeypatches for network revocation</h3>

The network revocation mechanism requires the following monkeypatches to the [[FETCH]] Standard.

<div algorithm=network-revocation-check-patch>
In the [=fetch=] algorithm, step 7, where it says:

> If <a lt="block bad port">should <var>request</var> be blocked due to a bad port</a>,
> <a lt="should fetching request be blocked as mixed content?">
> should fetching <var>request</var> be blocked as mixed content</a>, or
> <a lt="should request be blocked by Content Security Policy?">should <var>request</var>
> be blocked by Content Security Policy</a> returns <b>blocked</b>, then set
> <var ignore>response</var> to a <a>network error</a>.

Add "[=must be blocked due to a revoked partition nonce=]" to the conditions after
"should request be blocked by Content Security Policy".
</div>

<h3 id=new-request-destination>New [=request=] [=request/destination=]</h3>

The processing model of a <{fencedframe}>'s navigation request deviates from that of the normal
Expand Down
Loading