whatwg / html

HTML Standard
https://html.spec.whatwg.org/multipage/
Other
8.11k stars 2.67k forks source link

Initializing Feature Policy is racy #4783

Open dtapuska opened 5 years ago

dtapuska commented 5 years ago

The initialization of the feature policy occurs after the navigation completes. But while the child is being navigated it is possible the browser context's policy could change and then inheritence could be incorrect from when the navigation occurred.

See https://github.com/whatwg/html/pull/4772#issuecomment-512256128 and in w3c/webappsec-feature-policy#256

annevk commented 5 years ago

In particular, we should snapshot all necessary state for all policies at the time "navigate" is invoked. "Navigate" is always invoked from a stable point in time (we're getting rid of all remaining queue a task to navigate cases that are relevant for this afaik) and so it should be doable to get the necessary state from the source browsing context and navigated browsing context (the former should become the source document).

danyao commented 5 years ago

In particular, we should snapshot all necessary state for all policies at the time "navigate" is invoked.

+1

https://bugs.chromium.org/p/chromium/issues/detail?id=972089#c4 is a concrete failure of this exact bug, where PaymentRequest is enabled in an iframe when it shouldn't be.