Ensure PDF browsing contexts have no DOM

Previously, the spec allowed either the "page load processing model for content that uses plugins" or the "page load processing model for inline content that doesn't have a DOM" to be used for PDFs. The observable difference was that plugin documents could be same-origin to their containing page, allowing the containing page to observe the <embed> element etc. Since Firefox manages to get away with the "no DOM" path, and that path is simpler, we make it the only allowed path. This also fixes a few bugs in the no-DOM processing model: * If it was reached for the PDF case, there was no check to disallow viewing the PDF in a sandboxed browsing context. * It was passing a null request to the Document creation algorithm, which was not allowed. * It would lose the history handling behavior, so it would not properly do replace navigations if requested. * It would lose the navigation id, so it would not properly signal the results to WebDriver BiDi. * It was missing a few other navigation params fields.
whatwg · Aug 30, 2021 · b23a5c9 · b23a5c9
1 parent c2bcadd
commit b23a5c9
Showing 1 changed file with 66 additions and 96 deletions.
diff --git a/source b/source
@@ -86540,8 +86540,8 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
      is neither "<code data-x="javascript protocol">javascript</code>" nor a <span>fetch
      scheme</span></dt>
      <dd><p>Run <span>process a navigate URL scheme</span> given <var>resource</var>'s <span
-     data-x="concept-request-url">URL</span>, <var>browsingContext</var>, and
-     <var>hasTransientActivation</var>.</p></dd>
+     data-x="concept-request-url">URL</span>, <var>browsingContext</var>, <var>navigationId</var>,
+     <var>historyHandling</var>, and <var>hasTransientActivation</var>.</p></dd>
     </dl>
    </li>
   </ol>
@@ -86807,7 +86807,10 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
 
     <ol>
      <li><p><span>Process a navigate URL scheme</span> given <var>locationURL</var>,
-     <var>browsingContext</var>, and <var>hasTransientActivation</var>.</p></li>
+     <var>browsingContext</var>, <var>navigationParams</var>'s <span
+     data-x="navigation-params-id">id</span>, <var>navigationParams</var>'s <span
+     data-x="navigation-params-hh">history handling</span>, and
+     <var>hasTransientActivation</var>.</p></li>
 
      <li><p>Return.</p></li>
     </ol>
@@ -86891,7 +86894,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
 
     <ol>
      <li><p><span data-x="navigate-ua-inline">Display the inline content with an appropriate error
-     shown to the user</span> given <var>browsingContext</var>.</p></li>
+     shown to the user</span> given <var>browsingContext</var>, <var>navigationParams</var>'s <span
+     data-x="navigation-params-id">id</span>, and <var>navigationParams</var>'s <span
+     data-x="navigation-params-hh">history handling</span>.</p></li>
 
      <li><p>Run the <span data-x="environment discarding steps">environment discarding steps</span>
      for <var>navigationParams</var>'s <span
@@ -86983,14 +86988,18 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
      <dt>"<code data-x="">application/pdf</code>"</dt>
      <dt>"<code data-x="">text/pdf</code>"</dt>
      <dd>
-      <p>If the user agent's <span>PDF viewer supported</span> is true, then either follow the steps
-      given in the <span data-x="navigate-plugin">plugin</span> section providing
-      <var>navigationParams</var> and <var>type</var>, or <span data-x="navigate-ua-inline">display
-      the inline content</span> given <var>browsingContext</var>. Once the steps have completed,
-      return.</p>
-
-      <p class="XXX">See <a href="https://github.com/whatwg/html/issues/6003">issue #6003</a> for
-      discussion on picking one of these two behaviors to standardize.</p>
+      <p>If <var>navigationParams</var>'s <span data-x="navigation-params-sandboxing">final
+      sandboxing flag set</span> does not have its <span>sandboxed plugins browsing context
+      flag</span> set, then <span data-x="navigate-ua-inline">display an appropriate error
+      message</span> given <var>browsingContext</var>, <var>navigationParams</var>'s <span
+      data-x="navigation-params-id">id</span>, and <var>navigationParams</var>'s <span
+      data-x="navigation-params-hh">history handling</span>.</p>
+
+      <p>Otherwise, if the user agent's <span>PDF viewer supported</span> is true, then <span
+      data-x="navigate-ua-inline">display the PDF inline in a viewer</span> given
+      <var>browsingContext</var>, <var>navigationParams</var>'s <span
+      data-x="navigation-params-id">id</span>, and <var>navigationParams</var>'s <span
+      data-x="navigation-params-hh">history handling</span>.</p>
 
       <p>Otherwise, proceed onward.</p>
      </dd>
@@ -87011,11 +87020,13 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
     the user agent has a dedicated handler.</p>
    </li>
 
-   <li id="navigate-non-Document"><p>If, given <var>type</var>, the new resource is to be handled by
-   displaying some sort of inline content, e.g., a native rendering of the content or an error
+   <li id="navigate-non-Document"><p>If, given <var>type</var>, the new resource is to be handled
+   by displaying some sort of inline content, e.g., a native rendering of the content or an error
    message because the specified type is not supported, then <span
-   data-x="navigate-ua-inline">display the inline content</span> given <var>browsingContext</var>,
-   and then return.</p></li>
+   data-x="navigate-ua-inline">display the inline content</span>  given <var>browsingContext</var>,
+   <var>navigationParams</var>'s <span data-x="navigation-params-id">id</span>, and
+   <var>navigationParams</var>'s <span data-x="navigation-params-hh">history handling</span>, and
+   then return.</p></li>
 
    <li><p>Otherwise, the document's <var>type</var> is such that the resource will not affect
    <var>browsingContext</var>, e.g., because the resource is to be handed to an external application
@@ -87028,8 +87039,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
   </ol>
 
   <p>To <dfn>process a navigate URL scheme</dfn>, given a <span>URL</span> <var>url</var>, a
-  <span>browsing context</span> <var>browsingContext</var>, and a boolean
-  <var>hasTransientActivation</var>:</p>
+  <span>browsing context</span> <var>browsingContext</var>, a <span
+  data-x="navigation-id">navigation id</span> <var>navigationId</var>, a <span>history handling
+  behavior</span> <var>historyHandling</var>, and a boolean <var>hasTransientActivation</var>:</p>
 
   <ol>
    <li><p>If <var>url</var> is to be handled using a mechanism that does not affect
@@ -87042,7 +87054,8 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
     an error message because the specified scheme is not one of the supported protocols, or an
     inline prompt to allow the user to select <span data-x="dom-navigator-registerProtocolHandler">a
     registered handler</span> for the given scheme. <span data-x="navigate-ua-inline">Display the
-    inline content</span> given <var>browsingContext</var>.</p>
+    inline content</span> given <var>browsingContext</var>, <var>navigationId</var>, and
+    <var>historyHandling</var>.</p>
 
     <p class="note">In the case of a registered handler being used, <span>navigate</span> will be
     invoked with a new URL.</p>
@@ -87810,97 +87823,54 @@ new PaymentRequest(&hellip;); // Allowed to use
   data-x="attr-media-autoplay">autoplay</span>.</p>
 
 
-  <h4 id="read-plugin"><dfn data-x="navigate-plugin">Page load processing model for content that uses plugins</dfn></h4>
+  <h4 id="read-ua-inline"><span id="read-ua-plugin"></span><span id="navigate-plugin"></span><dfn
+  data-x="navigate-ua-inline">Page load processing model for inline content that doesn't have a
+  DOM</dfn></h4>
 
-  <p>When a resource that requires an external resource to be rendered is to be loaded, provided
-  <span>navigation params</span> <var>navigationParams</var> and a string <var>type</var>, the user
-  agent should:
+  <p>When the user agent is to display a user agent page or PDF viewer inline, provided a
+  <span>browsing context</span> <var>browsingContext</var>, a <span
+  data-x="navigation-id">navigation id</span> <var>navigationId</var>, and a <span>history handling
+  behavior</span> <var>historyHandling</var>, the user agent should:</p>
 
   <ol>
-   <li><p>Let <var>document</var> be the result of <span
-   data-x="create-the-document-object">creating and initializing a <code>Document</code>
-   object</span> given "<code data-x="">html</code>", <var>type</var>, and
-   <var>navigationParmas</var>.</p></li>
-
-   <li><p>Set <var>document</var>'s <span data-x="concept-document-mode">mode</span>
-   to "<code data-x="">no-quirks</code>".</p></li>
-
-   <li><p>Mark <var>document</var> as being a <dfn>plugin document</dfn></p></li>
-
-   <li><p>Append an <code>html</code> element to <var>document</var>.</p></li>
-
-   <li><p>Append a <code>head</code> element to the <code>html</code> element.</p></li>
-
-   <li><p>Append a <code>body</code> element to the <code>html</code> element.</p></li>
-
-   <li><p>Append an <code>embed</code> to the <code>body</code> element.</p></li>
-
-   <li><p>Set the <code data-x="attr-embed-src">src</code> attribute of the <code>embed</code>
-   element to the address of the resource.</p></li>
-  </ol>
-
-  <p class="note">The term <span>plugin document</span> is used by
-  <cite>Content Security Policy</cite> as part of the mechanism that ensures <code>iframe</code>s
-  can't be used to evade <code data-x="">plugin-types</code> directives. <ref spec=CSP></p>
-
-  <!-- next three paragraphs are similar to the navigate-text section, keep them in sync -->
-
-  <p>Then, the user agent must act as if it had <span data-x="stop parsing">stopped
-  parsing</span>.</p>
-
-  <p>After creating the <code>Document</code> object, but potentially before the page has finished
-  fully loading, the user agent must <span>update the session history with the new page</span> given
-  <var>navigationParams</var> and the newly-created <code>Document</code>.</p>
-
-  <p>User agents may add content to the <code>head</code> element of the <code>Document</code>, or
-  attributes to the <code>embed</code> element, e.g. to link to a style sheet or to give the
-  document a <code>title</code>.</p>
-
-  <p class="note" id="sandboxPluginNavigate">If the <code>Document</code>'s <span>active sandboxing
-  flag set</span> has its <span>sandboxed plugins browsing context flag</span> set, the synthesized
-  <code>embed</code> element will <a href="#sandboxPluginEmbed">fail to render the content</a>.</p>
-
-
-  <h4 id="read-ua-inline"><dfn data-x="navigate-ua-inline">Page load processing model for inline
-  content that doesn't have a DOM</dfn></h4>
-
-  <p>When the user agent is to display a user agent page inline, provided a <span>browsing
-  context</span> <var>browsingContext</var>, the user agent should:</p>
-
-  <ol>
-   <li>
-    <p>Let <var>navigationParams</var> be a new <span>navigation params</span> whose <span
-    data-x="navigation-params-request">request</span> is null, <span
-    data-x="navigation-params-response">response</span> is null, <span
-    data-x="navigation-params-origin">origin</span> is a new <span
-    data-x="concept-origin-opaque">opaque origin</span>, <span
-    data-x="navigation-params-sandboxing">final sandboxing flag set</span> is an empty set, <span
-    data-x="navigation-params-coop">cross-origin opener policy</span> is a new <span>cross-origin
-    opener policy</span>, <span data-x="navigation-params-coop-enforcement-result">COOP enforcement
-    result</span> is a new <span data-x="coop-enforcement-result">cross-origin opener policy
-    enforcement result</span>, <span
-    data-x="navigation-params-reserved-environment">reserved environment</span> is null, and <span
-    data-x="navigation-params-browsing-context">browsing context</span> is
-    <var>browsingContext</var>.</p>
-
-    <p class="XXX">The algorithm called in the next step is not prepared to deal with a null <span
-    data-x="navigation-params-response">response</span>. Probably we should synthesize one
-    instead.</p>
-   </li>
+   <li><p>Let <var>navigationParams</var> be a new <span>navigation params</span> whose <span
+   data-x="navigation-params-id">id</span> is <var>navigationId</var>, <span
+   data-x="navigation-params-request">request</span> is null, <span
+   data-x="navigation-params-response">response</span> is a new <span
+   data-x="concept-response">response</span>, <span data-x="navigation-params-origin">origin</span>
+   is a new <span data-x="concept-origin-opaque">opaque origin</span>, <span
+   data-x="navigation-params-policy-container">policy container</span> is a new <span>policy
+   container</span>, <span data-x="navigation-params-sandboxing">final sandboxing flag set</span>
+   is an empty set, <span data-x="navigation-params-coop">cross-origin opener policy</span> is a
+   new <span>cross-origin opener policy</span>, <span
+   data-x="navigation-params-coop-enforcement-result">COOP enforcement result</span> is a new <span
+   data-x="coop-enforcement-result">cross-origin opener policy enforcement result</span>, <span
+   data-x="navigation-params-reserved-environment">reserved environment</span> is null, <span
+   data-x="navigation-params-browsing-context">browsing context</span> is
+   <var>browsingContext</var>, <span data-x="navigation-params-hh">history handling</span> is
+   <var>historyHandling</var>, and <span data-x="navigation-params-has-cross-origin-redirects">has
+   cross-origin redirects</span> is false.</p></li>
 
    <li><p>Let <var>document</var> be the result of <span
    data-x="create-the-document-object">creating and initializing a <code>Document</code>
    object</span> given "<code data-x="">html</code>", "<code data-x="">text/html</code>", and
    <var>navigationParams</var>.</p></li>
 
-   <li><p>Set <var>document</var>'s <span data-x="concept-document-mode">mode</span>
-   to "<code data-x="">no-quirks</code>".</p></li>
-
    <li><p>Either associate <var>document</var> with a custom rendering that is not rendered using
    the normal <code>Document</code> rendering rules, or mutate <var>document</var> until it
    represents the content the user agent wants to render.</p>
   </ol>
 
+  <p class="note">Because we ensure the resulting <code>Document</code>'s <span
+  data-x="concept-document-origin">origin</span> is <span
+  data-x="concept-origin-opaque">opaque</span>, and the resulting <code>Document</code> cannot run
+  script with access to the DOM, the existence and properties of this <code>Document</code> are not
+  observable to web developer code. This means that most of the above values, e.g., the
+  <code>text/html</code> <span data-x="concept-document-type">type</span>, do not matter.
+  Similarly, most of the items in <var>navigationParams</var> don't have any observable effect,
+  besides preventing the <span data-x="create-the-document-object"><code>Document</code>-creation
+  algorithm</span> from getting confused, and so are set to default values.</p>
+
   <!-- next two paragraphs are similar to the navigate-text section, keep them in sync -->
 
   <p>Once the page has been set up, the user agent must act as if it had <span data-x="stop