about:blank" or "about:srcdoc" with query string or fragment should be potentially trustworthy

[fred-wang]

From https://w3c.github.io/webappsec-secure-contexts/#is-url-trustworthy

If url is "about:blank" or "about:srcdoc" return "Potentially Trustworthy".

I think the spec is not really explicit here (compare with other places where we talk about host component or scheme), but I understand the intention is to accept query string or fragment too.

So maybe it should be

if the url is made of an "about" scheme, a path matching "blank" or "srcdoc" and optional query/fragment then return "Potentially Trustworthy".

(Note: Chromium currently just checks if the scheme is "about" but ideally it should use these

https://source.chromium.org/chromium/chromium/src/+/master:url/gurl.h;l=216;drc=5607fbe5f50d8539be9f26e36a5c2517fc18fad7

which accepts query string or fragment.)

[fred-wang]

@annevk @mikewest Any opinion on this ?

[annevk]

This sounds reasonable. HTML does some checks for about:blank too and I've wondered about this same thing, but never gotten around to writing tests and such.

(Fetch does do the thing you suggest at https://fetch.spec.whatwg.org/#concept-scheme-fetch and I suspect we want to adopt the same language.)

[annevk]

Did you write tests for this by any chance @fred-wang? I can take care of updating the specification.

[fred-wang]

@annevk Only internal c++ tests for chromium.

[fred-wang]

Did you write tests for this by any chance @fred-wang? I can take care of updating the specification.

@annevk IIUC, one reviewer mentioned this is probably not web-observable, so not sure we need to or can write WPT tests...

[annevk]

It should be possible to navigate a browsing context to about:blank?something, no?

I do think that as I mentioned elsewhere this should probably not end up as a secure context because of that, but rather because of who did the navigating. So ultimately this might indeed not be testable much.