Re: [w3c/ServiceWorker] Introduce Cross-Origin Embedder Policy (#1516)

@annevk commented on this pull request.



> @@ -164,6 +164,8 @@ spec: webappsec-referrer-policy; urlPrefix: https://w3c.github.io/webappsec-refe
 
     A <a>script resource</a> has an associated <dfn export for="script resource" id="dfn-referrer-policy">referrer policy</dfn> (a [=/referrer policy=]). It is initially the empty string.
 
+    A [=/service worker=] has an associated <dfn>embedder policy</dfn> (an [=/embedder policy=]). It is initially set to a new [=/embedder policy=].

If you mean that it's set on creation you can drop the second sentence here.

> @@ -1863,6 +1865,8 @@ spec: webappsec-referrer-policy; urlPrefix: https://w3c.github.io/webappsec-refe
                 1. Let |requestResponses| be the result of running [=Query Cache=] with |r| and |options|.
                 1. [=list/For each=] |requestResponse| of |requestResponses|:
                     1. Add a copy of |requestResponse|'s response to |responses|.
+            1. [=list/For each=] |response| of |responses|:
+                1. If |response|'s [=response/type=] is "`opaque`" and [=cross-origin resource policy check=] with |response|'s [=internal/internal response=], |promise|'s [=relevant settings object=]'s [=environment settings object/origin=], and |promise|'s [=relevant settings object=] returns <b>blocked</b>, then reject |promise| with a `TypeError` and abort these steps.

I think this needs some updating still to account for the parameter order in Fetch. And also, one of the arguments is a policy right, not an environment settings object?

> @@ -2570,6 +2574,7 @@ spec: webappsec-referrer-policy; urlPrefix: https://w3c.github.io/webappsec-refe
           1. Invoke <a>Finish Job</a> with |job| and abort these steps.
       1. Let |httpsState| be "<code>none</code>".
       1. Let |referrerPolicy| be the empty string.
+      1. Let |embedder policy| be a new [=/embedder policy=].

It seems better for it to be null here and then later it's implicitly asserted that it's not null as it would have to be value returned from obtaining an embedder policy.

> @@ -2609,6 +2614,7 @@ spec: webappsec-referrer-policy; urlPrefix: https://w3c.github.io/webappsec-refe
 
           1. Set |httpsState| to |response|'s [=response/HTTPS state=].
           1. Set |referrerPolicy| to the result of <a>parse a referrer policy from a <code>Referrer-Policy</code> header</a> of |response|.
+          1. Set |embedder policy| be the result of [=obtain an embedder policy|obtaining an embedder policy=] from |response|.

to the result

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/ServiceWorker/pull/1516#pullrequestreview-428020113

Received on Wednesday, 10 June 2020 12:57:29 UTC