Use "navigation request's policy container's CSP list" instead of "navigation request's client's global object's CSP list" #692
Conversation
…vigation request's client's global object's CSP list" Complements #494 in order make the spec consistent. Preparation to fix whatwg/html#4651.
|
I think the problem with this is that navigation request's policy container is initially "client" and is only updated to the source document's policy container thing during fetch (https://fetch.spec.whatwg.org/#concept-request-policy-container), while javascript: url navigations do not go through fetch. I think if you want this to work you need to set navigation request's policy container before this check is called from html. Or am I missing anything? |
Correct. There seems to be another issue, which should be addressed outside of this PR: The request's policy container is set only in 1, step 12. "should navigation request of type be blocked by Content Security Policy?" is called from 2, step 19.3. 1 is called from step 19.5 of 2. So during the first iteration of the while-loop at step 19 of 2, the request's policy container will be its default value, "client". 3 doesn't handle "client", though.
Yes. The call from html, 4, step 5 is already broken since the request's client isn't set. A corrective way forward here would be to merge this PR only together with setting the navigation request's policy container in the HTML spec. WDYT?
Footnotes |
|
Right! Thanks for the deep investigation, this makes sense to me. I agree the best thing is to set navigation request's policy container in html before calling the CSP check. |
ciaramcmullin
added
agenda+
Complements #494 in order to make the spec consistent.
Preparation for fixing whatwg/html#4651.
Preview | Diff