Sandbox, COOP, and error pages.

[hemeryar]

When a sandboxed iframe, tries to opens a popup to a COOP page, we return an error page in the popup instead. This is specified here:

If browsingContext is a top-level browsing context, then:

• Set responseCOOP to the result of obtaining a cross-origin opener policy given response and request's reserved client.

• If sandboxFlags is not empty and responseCOOP's value is not "unsafe-none", then set response to an appropriate network error and break.

In particular this assumes that keeping a handle to the popup with the error page is safe. However a recent bug shows that this surface is sufficient to leak information. Should we maybe consider cutting the opener if we end up in this case?

Note, for this to work:

• The sandboxed iframe must have allow-popups
• The sandboxed iframe must not have allow-popups-to-escape-sandbox, otherwise the popup does not have a sandbox flag
• The sandboxed iframe must not have a top-level frame that sets COOP, otherwise because it's cross-origin the popup gets noopener automatically.

[annevk]

So:

1. Create new top-level browsing context A.
2. Replace A with B, which causes A to close.
3. Navigate B to a network error.

User agents could alternatively do:

1. Create a new top-level browsing context A. (Perhaps not visible to the user.)
2. Close A.

I think that would be reasonable.

[hemeryar]

Updated the original post with implicit assumptions.

To make sure I understand your proposals, we have option 1:

• Open the popup on about:blank, with inherited sandbox flags, and opaque origin.
• Start the navigation to a page, wait for the response, it ends up being a page with COOP. Go through with the navigation, COOP BC group swap happens, opener gets removed.
• Once the page loaded, load an error page.

Or Option 2:

• Open the popup on about:blank, with inherited sandbox flags, and opaque origin. but don't show it.
• Start the navigation to a page, wait for the response, it ends up being a page with COOP, close the popup.

I discussed with @ArthurSonzogni, and I think we prefer option 1, as keeping the popup not visible when we open from a sandboxed iframe until we have a first navigation sounds confusing to the user and is probably hard to implement as well.

As for practically implementing option 1 in the spec, I don't think we want to restart the navigation to an error page, but we could simply enforce COOP even in this case. I'm thinking we could just move

• If sandboxFlags is not empty and responseCOOP's value is not "unsafe-none", then set response to an appropriate network error and break.

after

• Set coopEnforcementResult to the result of enforcing the response's cross-origin opener policy given browsingContext, request's URL, responseOrigin, responseCOOP, coopEnforcementResult and request's referrer.

[annevk]

I wasn't viewing them as different proposals; they are implementation alternatives as they should be indistinguishable as far as web pages are concerned. Your proposal for the HTML standard makes sense. I agree that we wouldn't want to wait for the COOP document to load.

I was wondering if instead of checking responseCOOP we should be checking coopEnforcementResult's needs a browsing context group switch, but that might result in different behavior. In particular if you have sandboxed A (but with allow-same-origin) opening A and both have COOP, I suspect coopEnforcementResult's needs a browsing context group switch would be false.

[hemeryar]

Indeed relying on coopEnforcementResult might open other holes in the sandbox rule that we probably don't want.