Replace Request.type based logic with Request.destination #231
Conversation
index.src.html
Outdated
| @@ -1901,8 +1899,7 @@ <h5 algorithm id="connect-src-pre-request"> | |||
| 1. Assert: |policy| is unused. | |||
|
|
|||
| 2. If |request|'s <a for="request">initiator</a> is "`fetch`", or its | |||
There was a problem hiding this comment.
No comma needed before or anymore.
index.src.html
Outdated
| @@ -1922,8 +1919,7 @@ <h5 algorithm id="connect-src-post-request"> | |||
| 1. Assert: |policy| is unused. | |||
|
|
|||
| 2. If |request|'s <a for="request">initiator</a> is "`fetch`", or its | |||
There was a problem hiding this comment.
No comma needed before or anymore.
| @@ -2169,7 +2165,7 @@ <h5 algorithm id="frame-src-pre-request"> | |||
|
|
|||
| 1. Assert: |policy| is unused. | |||
|
|
|||
| 2. If |request|'s <a for="request">type</a> is "`document`" and | |||
There was a problem hiding this comment.
This seems like it was already bogus. "document" was never a request type.
There was a problem hiding this comment.
Yeah, but with destination that works, right?
There was a problem hiding this comment.
Yeah, would be good to get @mikewest to double check though. Might also want to note this in the eventual commit message.
There was a problem hiding this comment.
Yeah, it looks like this should have been destination all along. Glad you caught it!
index.src.html
Outdated
| @@ -2305,8 +2301,7 @@ <h5 algorithm id="manifest-src-pre-request"> | |||
|
|
|||
| 1. Assert: |policy| is unused. | |||
|
|
|||
| 2. If |request|'s <a for="request">type</a> is "", and its | |||
| <a for="request">initiator</a> is "`manifest`": | |||
| 2. If |request|'s <a for="request">initiator</a> is "`manifest`": | |||
There was a problem hiding this comment.
This can use destination as well.
There was a problem hiding this comment.
(Perhaps we should drop "manifest" and "xslt" as initiator. Initiator is only there for when it's different from another column.)
There was a problem hiding this comment.
changing to destination
index.src.html
Outdated
| @@ -2325,8 +2320,7 @@ <h5 algorithm id="manifest-src-post-request"> | |||
|
|
|||
| 1. Assert: |policy| is unused. | |||
|
|
|||
| 2. If |request|'s <a for="request">type</a> is "", and its | |||
| <a for="request">initiator</a> is "`manifest`": | |||
| 2. If |request|'s <a for="request">initiator</a> is "`manifest`": | |||
There was a problem hiding this comment.
This can use destination as well.
There was a problem hiding this comment.
changing to destination
index.src.html
Outdated
| @@ -2546,7 +2538,7 @@ <h5 algorithm id="script-src-pre-request"> | |||
|
|
|||
| Note: If `worker-src` is present, we'll defer to it when handling worker requests. | |||
|
|
|||
| 2. If |request|'s <a for="request">type</a> is "`script`": | |||
| 2. If |request|'s <a for="request">destination</a> is a for="request">script-like destination</a>: | |||
index.src.html
Outdated
| @@ -2620,7 +2612,7 @@ <h5 algorithm id="script-src-post-request"> | |||
|
|
|||
| Note: If `worker-src` is present, we'll defer to it when handling worker requests. | |||
|
|
|||
| 2. If |request|'s <a for="request">type</a> is "`script`": | |||
| 2. If |request|'s <a for="request">destination</a> is a for="request">script-like destination</a>: | |||
index.src.html
Outdated
| the empty string, return `connect-src`. | ||
| : "`manifest`" | ||
| :: | ||
| 1. If the |request|'s <a for="request">initiator</a> is | ||
| "`manifest`", return `manifest-src`. |
There was a problem hiding this comment.
Again, it doesn't seem like we need initiator for this case anymore.
There was a problem hiding this comment.
ok, returning manifest-src regardless of initiator.
| @@ -3778,20 +3772,14 @@ <h5 id="effective-directive-for-a-request" algorithm> | |||
| 1. Return `style-src`. | |||
|
|
|||
| : "`script`" | |||
| : "`xslt`" | |||
| :: | |||
| 1. Return `script-src`. | |||
There was a problem hiding this comment.
This seems like new behavior for "xslt".
There was a problem hiding this comment.
Yeah, but seems like the intended behavior based on https://w3c.github.io/webappsec-csp/#directive-script-src
There was a problem hiding this comment.
Hrm. Yes, you're both right: this wasn't in the doc, but it should have been.
index.src.html
Outdated
| : "`worker`" | ||
| :: | ||
| 1. Return `worker-src`. | ||
| 1. Return `child-src`. |
There was a problem hiding this comment.
should've been worker-src (and we should update the table at https://fetch.spec.whatwg.org/#concept-request-destination)
| @@ -2169,7 +2165,7 @@ <h5 algorithm id="frame-src-pre-request"> | |||
|
|
|||
| 1. Assert: |policy| is unused. | |||
|
|
|||
| 2. If |request|'s <a for="request">type</a> is "`document`" and | |||
There was a problem hiding this comment.
Yeah, it looks like this should have been destination all along. Glad you caught it!
| @@ -2374,7 +2368,7 @@ <h5 algorithm id="media-src-pre-request"> | |||
|
|
|||
| 1. Assert: |policy| is unused. | |||
|
|
|||
| 2. If |request|'s <a for="request">type</a> is one of "`audio`", "`video`", | |||
| 2. If |request|'s <a for="request">destination</a> is one of "`audio`", "`video`", | |||
| or "`track`": | |||
There was a problem hiding this comment.
Hrm. I thought we had MIME type checks hanging off of the distinction of audio vs video vs track. Skimming through Fetch, though, I don't see them.
Still, would you mind keeping the distinctions for the moment? I have naive dreams of poking at mixed content checks for these types at some point as folks continue to transition to TLS. It would be nice to not have to go back and add the detail in that we already have now.
| @@ -2374,7 +2368,7 @@ <h5 algorithm id="media-src-pre-request"> | |||
|
|
|||
| 1. Assert: |policy| is unused. | |||
|
|
|||
| 2. If |request|'s <a for="request">type</a> is one of "`audio`", "`video`", | |||
| 2. If |request|'s <a for="request">destination</a> is one of "`audio`", "`video`", | |||
| or "`track`": | |||
There was a problem hiding this comment.
Oh. You mean introducing a new definition that wraps these three destinations up? Sure, I'm fine with that. It seems like a useful concept.
| @@ -3778,20 +3772,14 @@ <h5 id="effective-directive-for-a-request" algorithm> | |||
| 1. Return `style-src`. | |||
|
|
|||
| : "`script`" | |||
| : "`xslt`" | |||
| :: | |||
| 1. Return `script-src`. | |||
There was a problem hiding this comment.
Hrm. Yes, you're both right: this wasn't in the doc, but it should have been.
|
Relevant Fetch changes: whatwg/fetch#582 |
I haven't done this yet as I think we should probably find a second consumer of such functionality first. |
|
Changes to Fetch landed, Yoav assures me that IP weirdness is no longer weird, landing. Thanks! |
* 'master' of https://github.com/w3c/webappsec-csp: (209 commits) Fix a few typos (w3c#280) Introduce 'prefetch-src'. (w3c#283) Clarify navigation behavior for 'script-src'. Incorrect indentation of the navigation check algorithm. IDL amendments and small misc issues. (w3c#271) Regenerate HTMLs. Origin link. NoncedElement link. link up inline css issue (w3c#228) Replaced 'alias' with 'copy' for less ambiguity (w3c#273) Cleanup `global object` usage to make sense with `Documents` (w3c#254) Elements with duplicated attributes are not nonceable. s/not-example.com/example.org/ Linked testing policy and fixed a few links (w3c#263) Rebuild HTML. Fix linking errors to 'script-like' and 'applet'. Adds WorkletGlobalScope as a concept to CSP. (w3c#205) Slight correction of host matching description (w3c#251) Fixed ambigous grammar (w3c#250) Replace Request.type based logic with Request.destination (w3c#231) ...
As Fetch is eliminating Request.type (whatwg/fetch#582), this PR (tries to) replace the related logic to Request.destination.
At the same time, CSP had references to no-longer-existing destinations. I've aligned it with latest Fetch definitions.
Preview | Diff