Closed bokand closed 8 months ago
@annevk does this look right? In particular, I noticed that the "create and initialize a Document object" steps already check the source origin but in "navigate" we snapshot the source origin so I'm guessing it can change and the existing case for about:blank is special?
Ping - I've built a bit more on top of this so it no longer performs the checks in the 'create and initialize a document object' steps.
(Please see also questions in https://github.com/whatwg/html/issues/8282#issuecomment-1830061794, if you'd rather review once this is "ready" for PR into HTML I can do that too)
@annevk in the interest of making progress, and since I have a number of other changes and fixes that are blocked on this, I'm going to merge this as-is. This will still be reviewed as part of the HTML PR. Happy to make changes post-merge if you find any.
The spec was using the
sec-fetch-site
request header to determine the initiator properties of the navigation, to use in security restrictions. However, request headers are appended only just prior to performing the fetch, this part of the algorithm operates on a clone of the request without headers so this doesn't work.This PR fixes the issues and rearranges the checks to occur in the
finalize a cross document navigation
andnavigate to a fragment
steps, also enabling text directives from a same-document navigation (the behavior in both Safari and Chrome, see #240).Fixes #179
Preview | Diff