Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Spec] Overhaul 'restricting the text fragment' section #239

Merged
merged 3 commits into from
Dec 13, 2023
Merged

[Spec] Overhaul 'restricting the text fragment' section #239

merged 3 commits into from
Dec 13, 2023

Conversation

bokand
Copy link
Collaborator

@bokand bokand commented Nov 21, 2023
edited by pr-preview bot
Loading

The spec was using the sec-fetch-site request header to determine the initiator properties of the navigation, to use in security restrictions. However, request headers are appended only just prior to performing the fetch, this part of the algorithm operates on a clone of the request without headers so this doesn't work.

This PR fixes the issues and rearranges the checks to occur in the finalize a cross document navigation and navigate to a fragment steps, also enabling text directives from a same-document navigation (the behavior in both Safari and Chrome, see #240).

Fixes #179

Preview | Diff

@bokand
Copy link
Collaborator Author

bokand commented Nov 21, 2023

@annevk does this look right? In particular, I noticed that the "create and initialize a Document object" steps already check the source origin but in "navigate" we snapshot the source origin so I'm guessing it can change and the existing case for about:blank is special?

@bokand bokand requested a review from annevk November 21, 2023 19:30
@bokand bokand mentioned this pull request Nov 21, 2023
Closed
@bokand bokand force-pushed the fixSecFetchSite branch 2 times, most recently from b401390 to b012092 Compare November 21, 2023 22:34
@bokand
Use userInvolvement instead of sec-fetch-site
5c8f220 
sec-fetch-site was being checked for 'none' to indicate that a navigation was
initiated from browser UI. However, we cannot inspect request headers from this
part of the algorithm.

Instead, the navigate algorithm now has a userInvolvement parameter which
provides this information explicitly. Plumb that into navigation params and use
it instead.

Additionally, this change removes the top-level browsing context check from the
document's text directive user activation flag since that's a confusing place to
check it. Instead, move it to where this flag is being read and remove a
(now-obviously) redundant check below.
@bokand
Use initiatorOrigin instead of sec-fetch-site
3d3dbb3 
`sec-fetch-site: same-origin` was being checked to tell if a navigation was
initiated by a different origin. However, request headers can't be inspected at
this point of the algorithm.

Plumb through the initiatorOrigin parameter when loading a document and compare
that with navigation params's origin field, using the `is same site` steps.
@bokand
Enable same-document navigations
81c42d9 
The main change in this commit is that enables same-document navigations
(with restrictions) by moving the security checks to also happen from
the navigate to fragment. As part of this, we do a fairly substantial
clean up and refresh of the 'restricting a text fragment' section. The
summarized high level changes:

  * Split out the restrictions into a single set of 'check if a text
    directive can be scrolled' steps, taking the necessary input as
    parameters.
  * Remove the 'allow text fragment scroll` flag on Document, instead
    computing this value and passing it through various steps into
    'scroll to the fragment'.
  * The restriction is placed only on the 'scroll to the fragment'
    steps, meaning the text directive is still the 'indicated part' and
    can remain highlighted.

Partially addresses WICG#240
@bokand bokand changed the title [Spec] Fix sec fetch site inspection [Spec] Overhaul 'restricting the text fragment' section Nov 29, 2023
@bokand
Copy link
Collaborator Author

bokand commented Nov 29, 2023

Ping - I've built a bit more on top of this so it no longer performs the checks in the 'create and initialize a document object' steps.

(Please see also questions in whatwg/html#8282 (comment), if you'd rather review once this is "ready" for PR into HTML I can do that too)

@bokand
Copy link
Collaborator Author

bokand commented Dec 13, 2023

@annevk in the interest of making progress, and since I have a number of other changes and fixes that are blocked on this, I'm going to merge this as-is. This will still be reviewed as part of the HTML PR. Happy to make changes post-merge if you find any.

@bokand bokand merged commit 05cc693 into WICG:main Dec 13, 2023
1 check passed
@bokand bokand mentioned this pull request Dec 13, 2023
Closed
@bokand bokand deleted the fixSecFetchSite branch December 13, 2023 21:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@annevk annevk Awaiting requested review from annevk

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Sec-Fetch-Site header inspection is wrong
1 participant
@bokand