From cf06e4238355217215e7eae693561da5f3f68e2c Mon Sep 17 00:00:00 2001 From: Liam Brady Date: Sat, 26 Aug 2023 07:54:22 -0400 Subject: [PATCH] Make FencedFrameConfig IDL objects serializable (#111) --- spec.bs | 182 ++++++++++++++++++++++++++++++++++++-------------------- 1 file changed, 116 insertions(+), 66 deletions(-) diff --git a/spec.bs b/spec.bs index 19b3b53..cf8b504 100644 --- a/spec.bs +++ b/spec.bs @@ -456,9 +456,13 @@ The config IDL attribute getter 1. Let |urn uuid| be the given {{FencedFrameConfig}}'s [=fencedframeconfig/urn=]. + 1. Let |shared storage context| be the given {{FencedFrameConfig}}'s [=fencedframeconfig/ + sharedStorageContext=]. + 1. [=Navigate=] |element|'s [=fenced navigable container/fenced navigable=] to |urn uuid| using |element|'s [=Node/node document=], with [=historyHandling=] set to "`replace`" , and [=referrerPolicy=] set to "`no-referrer`". + behavior">`replace`", [=referrerPolicy=] set to "`no-referrer`", and + |shared storage context|. Note: See [[#navigation-changes]] for the <{fencedframe}>-specific changes to the ordinary navigation flow. @@ -522,9 +526,10 @@ returned to the web platform in a constant amount of time, before any computatio depends on cross-site data. Because the privacy of this depends on the web platform not being able to discern when a pending config is finalized, it is important that all visibilities and values of transparent fields do not change from the pending config to the finalized config, given that they -can be inspected through {{FencedFrameConfig}}'s getters. Therefore, a {{FencedFrameConfig}} that -is created and exposed to the web platform is effectively immutable even if its underlying -[=fencedframeconfig/config=] is technically "pending", and will finish resolving completely later. +can be inspected through {{FencedFrameConfig}}'s getters. Therefore, a {{FencedFrameConfig}} that is +created and exposed to the web platform is effectively immutable even if the [=fenced frame config=] +represented by the [=fencedframe/config=]'s [=fencedframeconfig/urn=] is technically "pending", and +will finish resolving completely later. Each [=fenced frame config mapping=] has a maximum number of configs, which is implementation-defined. The [=fenced frame config mapping/maximum number of @@ -893,7 +898,7 @@ A fenced frame config is a [=struct=] with the following [=str :: a [=URL=] : visibility - :: a [=visibility=] + :: a [=fencedframeconfig/visibility=] : container size :: null, or a [=fencedframetype/size=] @@ -904,7 +909,7 @@ A fenced frame config is a [=struct=] with the following [=str :: a [=fencedframetype/size=] : visibility - :: a [=visibility=] + :: a [=fencedframeconfig/visibility=] : interest group descriptor :: null, or a [=struct=] with the following [=struct/items=]: @@ -912,7 +917,7 @@ A fenced frame config is a [=struct=] with the following [=str :: an [=fencedframetype/interest group descriptor=] : visibility - :: a [=visibility=] + :: a [=fencedframeconfig/visibility=] : on navigate callback :: null, or a series of steps @@ -923,7 +928,7 @@ A fenced frame config is a [=struct=] with the following [=str :: an [=fencedframetype/exhaustive set of sandbox flags=] : visibility - :: a [=visibility=] + :: a [=fencedframeconfig/visibility=] : effective enabled permissions :: null, or a [=struct=] with the following [=struct/items=]: @@ -931,7 +936,7 @@ A fenced frame config is a [=struct=] with the following [=str :: a [=list=] of [=policy-controlled features=] : visibility - :: a [=visibility=] + :: a [=fencedframeconfig/visibility=] Note: When non-null, this is a [=list=] of [=policy-controlled features=] that the generator of this config relies on exclusively being enabled inside the <{fencedframe}> that navigates to @@ -951,7 +956,7 @@ A fenced frame config is a [=struct=] with the following [=str :: a [=fencedframetype/fenced frame reporting metadata=] : visibility - :: a [=visibility=] + :: a [=fencedframeconfig/visibility=] : exfiltration budget metadata :: null, or a [=struct=] with the following [=struct/items=]: @@ -959,7 +964,7 @@ A fenced frame config is a [=struct=] with the following [=str :: an [=fencedframetype/exfiltration budget metadata=] : visibility - :: a [=visibility=] + :: a [=fencedframeconfig/visibility=] : nested configs :: null, or a [=struct=] with the following [=struct/items=]: @@ -967,7 +972,7 @@ A fenced frame config is a [=struct=] with the following [=str :: a [=list=] of [=fenced frame configs=] : visibility - :: a [=visibility=] + :: a [=fencedframeconfig/visibility=] : embedder shared storage context :: null, or a [=string=] @@ -1122,7 +1127,7 @@ maps to an internal [=fenced frame config=] [=struct=]. typedef (unsigned long or OpaqueProperty) FencedFrameConfigSize; typedef USVString FencedFrameConfigURL; - [Exposed=Window] + [Exposed=Window, Serializable] interface FencedFrameConfig { readonly attribute FencedFrameConfigSize? containerWidth; readonly attribute FencedFrameConfigSize? containerHeight; @@ -1141,60 +1146,80 @@ element with arbitrary URLs *not* produced by config-generating APIs for develop Each {{FencedFrameConfig}} has: * A urn, a [=urn uuid=] - * A config, a [=fenced frame config=] + * A sharedStorageContext, a [=string=] + * A containerWidth, a {{FencedFrameConfigSize}} or null + * A containerHeight, a {{FencedFrameConfigSize}} or null + * A contentWidth, a {{FencedFrameConfigSize}} or null + * A contentHeight, a {{FencedFrameConfigSize}} or null
- The {{FencedFrameConfig/containerWidth}} IDL attribute getter steps are: - - 1. If [=this=]'s [=fencedframeconfig/config=]'s [=fenced frame config/container size=] is null, - return null. - - 1. Return [=this=]'s [=fencedframeconfig/config=]'s [=fenced frame config/container size=]'s - [=size/width=]. + The {{FencedFrameConfig/containerWidth}} IDL attribute getter steps are to return [=this=]'s + [=fencedframeconfig/containerWidth=].
- The {{FencedFrameConfig/containerHeight}} IDL attribute getter steps are: + The {{FencedFrameConfig/containerHeight}} IDL attribute getter steps are to return [=this=]'s + [=fencedframeconfig/containerHeight=]. +
- 1. If [=this=]'s [=fencedframeconfig/config=]'s [=fenced frame config/container size=] is null, - return null. +
+ The {{FencedFrameConfig/contentWidth}} IDL attribute getter steps are to return [=this=]'s + [=fencedframeconfig/contentWidth=]. +
- 1. Return [=this=]'s [=fencedframeconfig/config=]'s [=fenced frame config/container size=]'s - [=size/height=]. +
+ The {{FencedFrameConfig/contentHeight}} IDL attribute getter steps are to return [=this=]'s + [=fencedframeconfig/contentHeight=].
-
- The {{FencedFrameConfig/contentWidth}} IDL attribute getter steps are: +
+ The setSharedStorageContext(|contextString|) method steps + are to set [=this=]'s [=fencedframeconfig/sharedStorageContext=] to |contextString|. +
- 1. If [=this=]'s [=fencedframeconfig/config=]'s [=fenced frame config/content size=] is null, - return null. +
+ {{FencedFrameConfig}} objects are [=serializable objects=]. Their [=serialization steps=], given + |value|, |serialized|, and |forStorage| are: - 1. If [=this=]'s [=fencedframeconfig/config=]'s [=fenced frame config/content size=]'s [=content - size/visibility=] is "`transparent`", return the [=fenced frame - config/content size=]'s [=content size/value=]'s [=size/width=]. + 1. If |forStorage| is true, then throw a {{DataCloneError}} {{DOMException}}. + + 1. Set |serialized|.\[[Urn]] to |value|'s [=fencedframeconfig/urn=]. - 1. Otherwise, return the `"opaque"` {{OpaqueProperty}}. -
+ 1. Set |serialized|.\[[SharedStorageContext]] to |value|'s [=fencedframeconfig/ + sharedStorageContext=]. -
- The {{FencedFrameConfig/contentHeight}} IDL attribute getter steps are: + 1. Set |serialized|.\[[ContainerWidth]] to |value|'s [=fencedframeconfig/ + containerWidth=]. - 1. If [=this=]'s [=fencedframeconfig/config=]'s [=fenced frame config/content size=] is null, - return null. + 1. Set |serialized|.\[[ContainerHeight]] to |value|'s [=fencedframeconfig/ + containerHeight=]. + + 1. Set |serialized|.\[[ContentWidth]] to |value|'s [=fencedframeconfig/ + contentWidth=]. + + 1. Set |serialized|.\[[ContentHeight]] to |value|'s [=fencedframeconfig/ + contentHeight=]. - 1. If [=this=]'s [=fencedframeconfig/config=]'s [=fenced frame config/content size=]'s [=content - size/visibility=] is "`transparent`", return the [=fenced frame - config/content size=]'s [=content size/value=]'s [=size/height=]. - 1. Otherwise, return the `"opaque"` {{OpaqueProperty}}.
-
- The setSharedStorageContext(|contextString|) method steps +
+ Their [=deserialization steps=], given |serialized|, |value|, and targetRealm are: - 1. Set [=this=]'s [=fencedframeconfig/config=]'s [=fenced frame config/embedder shared storage - context=] to |contextString|. + 1. Initialize |value|'s [=fencedframeconfig/urn=] to |serialized|.\[[Urn]]. + + 1. Initialize |value|'s [=fencedframeconfig/sharedStorageContext=] to + |serialized|.\[[SharedStorageContext]]. + + 1. Initialize |value|'s [=fencedframeconfig/containerWidth=] to |serialized|.\[[ContainerWidth]]. + + 1. Initialize |value|'s [=fencedframeconfig/containerHeight=] to + |serialized|.\[[ContainerHeight]]. + + 1. Initialize |value|'s [=fencedframeconfig/contentWidth=] to |serialized|.\[[ContentWidth]]. + + 1. Initialize |value|'s [=fencedframeconfig/contentHeight=] to |serialized|.\[[ContentHeight]].

The {{Fence}} interface

@@ -1314,8 +1339,28 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface. : [=fencedframeconfig/urn=] :: |urn| - : [=fencedframeconfig/config=] - :: |config| + : [=fencedframeconfig/sharedStorageContext=] + :: |config|'s [=fenced frame config/embedder shared storage context=] + + : [=fencedframeconfig/containerWidth=] + :: null if |config|'s [=fenced frame config/container size=] is null, otherwise |config|'s + [=fenced frame config/container size=]'s [=size/width=] + + : [=fencedframeconfig/containerHeight=] + :: null if |config|'s [=fenced frame config/container size=] is null, otherwise |config|'s + [=fenced frame config/container size=]'s [=size/height=] + + : [=fencedframeconfig/contentWidth=] + :: null if |config|'s [=fenced frame config/content size=] is null, the `"opaque"` + {{OpaqueProperty}} if |config|'s [=fenced frame config/content size=]'s [=content + size/visibility=] is [=visibility/opaque=], otherwise |config|'s [=fenced frame + config/content size=]'s [=size/width=] + + : [=fencedframeconfig/contentHeight=] + :: null if |config|'s [=fenced frame config/content size=] is null, the `"opaque"` + {{OpaqueProperty}} if |config|'s [=fenced frame config/content size=]'s [=content + size/visibility=] is [=visibility/opaque=], otherwise |config|'s [=fenced frame + config/content size=]'s [=size/height=] 1. [=list/Append=] |newConfig| to |results|. @@ -2097,6 +2142,9 @@ CORP violation report=] algorithm, as leaving it unfenced may cause a privacy le
+ Modify the definition of [[HTML]]'s [=navigate=] algorithm to include an extra parameter: an + optional [=string=] |sharedStorageContext| (default null). + Modify step 7 of [[HTML]]'s [=navigate=] algorithm to include the following condition: * |navigable| is a [=fenced navigable container/fenced navigable=]; @@ -2122,7 +2170,7 @@ CORP violation report=] algorithm, as leaving it unfenced may cause a privacy le /fenced-frame/fragment-navigation.https.html - Insert these steps immediately after step 16, the step that goes [=in parallel=], so that what + Insert these steps immediately after step 20, the step that goes [=in parallel=], so that what follows are the first steps that run [=in parallel=] in the patched algorithm: 1. If |url| is a [=urn uuid=] and |navigable| is a [=fenced navigable container/fenced @@ -2138,6 +2186,9 @@ CORP violation report=] algorithm, as leaving it unfenced may cause a privacy le any subsequent embedder-initiated navigations, should they occur, by the usual mechanism that tracks the [=navigable/ongoing navigation=]. + 1. Set |config|'s [=fenced frame config/embedder shared storage context=] to + |sharedStorageContext|. + 1. Set sourceSnapshotParams's [=source snapshot params/target fenced frame config=] to |config|. @@ -2433,22 +2484,21 @@ directive wouldn't give web sites enough control over their CSP rules. Introduce *This introductory sub-section is non-normative.* The [=policy-controlled features=] available to {{Document}}s inside of a <{fencedframe}> are -determined exclusively by the {{FencedFrameConfig}} that the <{fencedframe}> navigates to. -Specifically, the {{FencedFrameConfig}}'s [=fencedframeconfig/config=]'s [=fenced frame -config/effective enabled permissions=] defines the exclusive list of [=policy-controlled features=] -that will be enabled in the {{Document}} (all others will be disabled). - -During navigation, the {{FencedFrameConfig}}'s [=fencedframeconfig/config=] [=instantiate a -config|instantiates=] a [=browsing context/fenced frame config instance=] that is stored on the -[=browsing context=] in the [=fenced navigable container/fenced navigable=]. This browsing context's -[=browsing context/fenced frame config instance=]'s [=fenced frame config instance/effective enabled -permissions=] is consulted [=Should navigation response to navigation request be blocked by -Permissions Policy?|during navigation=]. A <{fencedframe}> navigation can only succeed if the -[=Document/permissions policy=] for the navigation's resulting {{Document}} has an [=permissions -policy/inherited policy=] such that the [=inherited policy for a feature|inherited policy value=] is -"`Enabled`" for each feature in the [=fenced frame config/effective enabled permissions=]. Otherwise -the environment the <{fencedframe}> is embedded in is deemed unsuitable for the [=fenced frame -config=], and the navigation is blocked. +determined exclusively by the [=fenced frame config=] that the <{fencedframe}> navigates to. +Specifically, the [=fenced frame config=]'s [=fenced frame config/effective enabled permissions=] +defines the exclusive list of [=policy-controlled features=] that will be enabled in the +{{Document}} (all others will be disabled). + +During navigation, the [=fenced frame config=] [=instantiate a config|instantiates=] a [=browsing +context/fenced frame config instance=] that is stored on the [=browsing context=] in the [=fenced +navigable container/fenced navigable=]. This browsing context's [=browsing context/fenced frame +config instance=]'s [=fenced frame config instance/effective enabled permissions=] is consulted +[=Should navigation response to navigation request be blocked by Permissions Policy?|during +navigation=]. A <{fencedframe}> navigation can only succeed if the [=Document/permissions policy=] +for the navigation's resulting {{Document}} has an [=permissions policy/inherited policy=] such that +the [=inherited policy for a feature|inherited policy value=] is "`Enabled`" for each feature in the +[=fenced frame config/effective enabled permissions=]. Otherwise the environment the <{fencedframe}> +is embedded in is deemed unsuitable for the [=fenced frame config=], and the navigation is blocked. At the same time, to make sure that a <{fencedframe}>'s embedder does not directly influence content in the frame based on that navigation's [=navigation params/origin=] (since the origin is derived