Closed hemeryar closed 2 years ago
So:
User agents could alternatively do:
I think that would be reasonable.
Updated the original post with implicit assumptions.
To make sure I understand your proposals, we have option 1:
Or Option 2:
I discussed with @ArthurSonzogni, and I think we prefer option 1, as keeping the popup not visible when we open from a sandboxed iframe until we have a first navigation sounds confusing to the user and is probably hard to implement as well.
As for practically implementing option 1 in the spec, I don't think we want to restart the navigation to an error page, but we could simply enforce COOP even in this case. I'm thinking we could just move
- If sandboxFlags is not empty and responseCOOP's value is not "unsafe-none", then set response to an appropriate network error and break.
after
- Set coopEnforcementResult to the result of enforcing the response's cross-origin opener policy given browsingContext, request's URL, responseOrigin, responseCOOP, coopEnforcementResult and request's referrer.
I wasn't viewing them as different proposals; they are implementation alternatives as they should be indistinguishable as far as web pages are concerned. Your proposal for the HTML standard makes sense. I agree that we wouldn't want to wait for the COOP document to load.
I was wondering if instead of checking responseCOOP we should be checking coopEnforcementResult's needs a browsing context group switch, but that might result in different behavior. In particular if you have sandboxed A (but with allow-same-origin) opening A and both have COOP, I suspect coopEnforcementResult's needs a browsing context group switch would be false.
Indeed relying on coopEnforcementResult might open other holes in the sandbox rule that we probably don't want.
When a sandboxed iframe, tries to opens a popup to a COOP page, we return an error page in the popup instead. This is specified here:
In particular this assumes that keeping a handle to the popup with the error page is safe. However a recent bug shows that this surface is sufficient to leak information. Should we maybe consider cutting the opener if we end up in this case?
Note, for this to work: