From a8cc209c608b60e4b7dd0764338bcfe4ea8cc28f Mon Sep 17 00:00:00 2001 From: Ian Clelland Date: Mon, 18 Nov 2019 15:29:05 -0500 Subject: [PATCH] Snapshot sandbox at start of navigation. This change fixes a race condition where an iframe's sandboxing flag set could be changed in between the start of a navigation and when the response is returned, and the new document created. In that case, it was unclear how the new document could reliably synchronously get the updated flags, or just exactly how late those flags could be changed and still impact the new document. Now, the sandboxing flag set is routed from the beginning of the navigation to the eventual document creation. Ref: #4783, and also see https://github.com/w3c/webappsec-feature-policy/issues/256 --- source | 104 ++++++++++++++++++++++++++++++--------------------------- 1 file changed, 55 insertions(+), 49 deletions(-) diff --git a/source b/source index 71a456f2809..a3230f6132c 100644 --- a/source +++ b/source @@ -83558,6 +83558,9 @@ interface Location { // but see also form submission algorithm, and "other" otherwise.

+

  • Let sandboxFlags be the result of determining active sandboxing + flags given browsingContext.

    • +

  • Return to whatever algorithm invoked the navigation steps and continue running these steps in parallel.

    • @@ -83571,7 +83574,7 @@ interface Location { // but see also     response

    Run process a navigate response with null, resource, navigationType, the source browsing context, - browsingContext, incumbentNavigationOrigin, and + browsingContext, sandboxFlags, incumbentNavigationOrigin, and activeDocumentNavigationOrigin.

    If resource is a request whose Location { // but see also So for example a fetch scheme

    Run process a navigate fetch given resource, the source browsing context, browsingContext, navigationType, - incumbentNavigationOrigin, and activeDocumentNavigationOrigin.

    + sandboxFlags, incumbentNavigationOrigin, and + activeDocumentNavigationOrigin.

    Otherwise, resource is a request whose url's scheme @@ -83850,9 +83854,10 @@ interface Location { // but see also request request, a response response, a string navigationType, two browsing contexts source and - browsingContext, two origins - incumbentNavigationOrigin and activeDocumentNavigationOrigin, and an - optional environment reservedEnvironment, run these steps:

    + browsingContext, a sandboxing flag set sandboxFlags, two + origins incumbentNavigationOrigin and + activeDocumentNavigationOrigin, and an optional environment + reservedEnvironment, run these steps:

    1. @@ -83904,15 +83909,15 @@ interface Location { // but see also HTML document section providing browsingContext, request, response, - incumbentNavigationOrigin, and activeDocumentNavigationOrigin. Once the - steps have completed, return. + sandboxFlags, incumbentNavigationOrigin, and + activeDocumentNavigationOrigin. Once the steps have completed, return.
      an XML MIME type that is not an explicitly supported XML MIME type
      Follow the steps given in the XML document section providing browsingContext, type, request, response, - incumbentNavigationOrigin, and activeDocumentNavigationOrigin. Once the - steps have completed, return.
      + sandboxFlags, incumbentNavigationOrigin, and + activeDocumentNavigationOrigin. Once the steps have completed, return.
      a JavaScript MIME type
      a JSON MIME type that is not an explicitly supported JSON MIME @@ -83923,28 +83928,28 @@ interface Location { // but see also text/vtt"
      Follow the steps given in the plain text file section providing browsingContext, type, request, response, - incumbentNavigationOrigin, and activeDocumentNavigationOrigin. Once the - steps have completed, return.
      + sandboxFlags, incumbentNavigationOrigin, and + activeDocumentNavigationOrigin. Once the steps have completed, return.
      "multipart/x-mixed-replace"
      Follow the steps given in the multipart/x-mixed-replace section providing browsingContext, type, request, response, - incumbentNavigationOrigin, and activeDocumentNavigationOrigin. Once the - steps have completed, return.
      + sandboxFlags, incumbentNavigationOrigin, and + activeDocumentNavigationOrigin. Once the steps have completed, return.
      A supported image, video, or audio type
      Follow the steps given in the media section providing browsingContext, type, request, response, - incumbentNavigationOrigin, and activeDocumentNavigationOrigin. Once the - steps have completed, return.
      + sandboxFlags, incumbentNavigationOrigin, and + activeDocumentNavigationOrigin. Once the steps have completed, return.
      A type that will use an external application to render the content in browsingContext
      Follow the steps given in the plugin section providing browsingContext, type, request, response, - incumbentNavigationOrigin, and activeDocumentNavigationOrigin. Once the - steps have completed, return.
      + sandboxFlags, incumbentNavigationOrigin, and + activeDocumentNavigationOrigin. Once the steps have completed, return.

      An explicitly supported XML MIME type is an XML MIME type for which @@ -84115,18 +84120,18 @@ interface Location { // but see also content type contentType, a request request, a response response, a browsing context browsingContext, two origins incumbentNavigationOrigin, - activeDocumentNavigationOrigin, and an optional environment - reservedEnvironment:

      + context">browsing context browsingContext, a sandboxing flag set + sandboxFlags, two origins + incumbentNavigationOrigin, activeDocumentNavigationOrigin, and an optional + environment reservedEnvironment:

        -

      1. Let sandboxFlags be the result of determining active sandboxing - flags given browsingContext and response.

        2. +

      2. Let finalSandboxFlags be the union of sandboxFlags and + response's forced sandboxing flag set.

      3. Let origin be the result of determining the origin given browsingContext, request's url, - sandboxFlags, incumbentNavigationOrigin, and + finalSandboxFlags, incumbentNavigationOrigin, and activeDocumentNavigationOrigin.

      4. @@ -84188,7 +84193,7 @@ interface Location { // but see also content type is contentType, origin is origin, feature policy is featurePolicy, and active sandboxing flag set is - sandboxFlags.

        5. + finalSandboxFlags.

      5. If request is non-null, then set document's URL to request's @@ -84411,14 +84416,15 @@ new PaymentRequest(…); // Allowed to use

        When an HTML document is to be loaded in a browsing context, provided browsingContext, request, response, - incumbentNavigationOrigin, and activeDocumentNavigationOrigin, the user - agent must queue a task on the networking task source to:

        + sandboxFlags, incumbentNavigationOrigin, and + activeDocumentNavigationOrigin, the user agent must queue a task on the + networking task source to:

        1. Let document be the result of creating and initializing a Document object providing "html", "text/html", - request, response, browsingContext, + request, response, browsingContext, sandboxFlags, incumbentNavigationOrigin, and activeDocumentNavigationOrigin.

        2. @@ -84453,13 +84459,13 @@ new PaymentRequest(…); // Allowed to use

          Page load processing model for XML files

          When faced with displaying an XML file inline, provided browsingContext, - request, response, incumbentNavigationOrigin, and - activeDocumentNavigationOrigin, user agents must follow the requirements defined in - XML and Namespaces in XML, XML Media Types, - DOM, and other relevant specifications to request, response, sandboxFlags, + incumbentNavigationOrigin, and activeDocumentNavigationOrigin, user agents + must follow the requirements defined in XML and Namespaces in XML, + XML Media Types, DOM, and other relevant specifications to create and initialize a Document object providing "xml", type, request, response, - browsingContext, incumbentNavigationOrigin, and + browsingContext, sandboxFlags, incumbentNavigationOrigin, and activeDocumentNavigationOrigin. It must also create and a corresponding XML parser.

          @@ -84506,7 +84512,7 @@ new PaymentRequest(…); // Allowed to use

          Page load processing model for text files

          When a plain text document is to be loaded in a browsing context, provided - browsingContext, request, response, + browsingContext, request, response, sandboxFlags, incumbentNavigationOrigin, and activeDocumentNavigationOrigin, the user agent must queue a task on the networking task source to: @@ -84514,8 +84520,8 @@ new PaymentRequest(…); // Allowed to use

        3. Let document be the result of creating and initialize a Document object providing "html", type, request, - response, browsingContext, incumbentNavigationOrigin, - and activeDocumentNavigationOrigin.

          4. + response, browsingContext, sandboxFlags, + incumbentNavigationOrigin, and activeDocumentNavigationOrigin.

        4. Create an HTML parser and associate it with the document. Act as if the tokenizer had emitted a start tag token with the tag name "pre" followed by a single @@ -84584,15 +84590,15 @@ new PaymentRequest(…); // Allowed to use

          When an image, video, or audio resource is to be loaded in a browsing context, provided browsingContext, request, response, - incumbentNavigationOrigin, and activeDocumentNavigationOrigin, the user - agent should: + sandboxFlags, incumbentNavigationOrigin, and + activeDocumentNavigationOrigin, the user agent should:

          1. Let document be the result of creating and initialize a Document object providing "html", type, request, - response, browsingContext, incumbentNavigationOrigin, and - activeDocumentNavigationOrigin.

            2. + response, browsingContext, sandboxFlags, + incumbentNavigationOrigin, and activeDocumentNavigationOrigin.

          2. Append an html element to document.

            3. @@ -84650,15 +84656,15 @@ new PaymentRequest(…); // Allowed to use

            When a resource that requires an external resource to be rendered is to be loaded in a browsing context, provided browsingContext, request, - response, incumbentNavigationOrigin, and + response, sandboxFlags, incumbentNavigationOrigin, and activeDocumentNavigationOrigin, the user agent should:

            1. Let document be the result of creating and initialize a Document object providing "html", type, request, - response, browsingContext, incumbentNavigationOrigin, and - activeDocumentNavigationOrigin.

              2. + response, browsingContext, sandboxFlags, + incumbentNavigationOrigin, and activeDocumentNavigationOrigin.

            2. Mark document as being a plugin document

              3. @@ -84706,10 +84712,10 @@ new PaymentRequest(…); // Allowed to use

              When the user agent is to display a user agent page inline in a browsing context, the user agent should create and initialize a Document object providing "html", "text/html", null, null, browsingContext, null, and null, and then - either associate that Document with a custom rendering that is not rendered using the - normal Document rendering rules, or mutate that Document until it - represents the content the user agent wants to render.

              + data-x="">text/html", null, null, browsingContext, an empty set, null, and null, + and then either associate that Document with a custom rendering that is not rendered + using the normal Document rendering rules, or mutate that Document until + it represents the content the user agent wants to render.