Re: [whatwg/fetch] Integrate CORP and COEP (#1030) from Anne van Kesteren on 2020-06-10 (public-webapps-github@w3.org from June 2020)

From: Anne van Kesteren <notifications@github.com>
Date: Wed, 10 Jun 2020 06:25:43 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1030/review/428043613@github.com>

@annevk commented on this pull request.

Thanks! I'd like @domenic to take another look.

>  
 <ol>
+ <li><p>Assert: <var>response</var>'s <a for=response>URL list</a> is not empty.

We should link empty. (From memory `<a lt="is empty" for=list>empty</a>`.)

> +    <th>key
+    <th>value
+   </thead>
+   <tbody>
+    <tr>
+     <td>"<code>type</code>"
+     <td>"<code>corp</code>"
+    </tr>
+    <tr>
+     <td>"<code>blocked-url</code>"
+     <td><var>serialized url</var>
+    </tr>
+   </tbody>
+  </table>
+
+ <li><p><a href="https://w3c.github.io/reporting/#queue-report">Queue</a> <var>body</var> as

This can now be fixed.

> +<p>To perform a <dfn export>cross-origin resource policy check</dfn>, given an <a for=url>origin</a>
+<var>origin</var>, an <a for=/>environment settings object</a> <var>settingsObject</var>, a
+<a for=/>response</a> <var>response</var>, and an optional boolean <var>forNavigation</var>, run
+these steps:
+
+<ol>
+ <li><p>Set <var>forNavigation</var> to false if it is not given.
+
+ <li><p>Let <var>embedderPolicy</var> be <var>settingsObject</var>'s embedder policy.
+
+ <li>
+  <p>If the <a>cross-origin resource policy internal check</a> with <var>origin</var>,
+  "<code>unsafe-none</code>", <var>response</var>, and <var>forNavigation</var> returns
+  <b>blocked</b>, then return <b>blocked</b>.
+
+  <p class="note">This is to queue only COEP-related violation reports.

We should spell out COEP here I think. We never introduced it as an abbreviation.

> + <li><p>If the <a>cross-origin resource policy internal check</a> with <var>origin</var>,
+ <var>embedderPolicy</var>'s value, <var>response</var>, and <var>forNavigation</var> returns
+ <b>allowed</b>, then return <b>allowed</b>.
+
+ <li><p><a>Queue a cross-origin embedder policy CORP violation report</a> with <var>response</var>,
+ <var>settingsObject</var>, and false.
+
+ <li><p>Return <b>blocked</b>.
+</ol>
+
+<p class="note no-backref">Only HTML's navigate algorithm uses this check with
+<var>forNavigation</var> set to true, and it's always for nested navigations. Otherwise,
+<var>response</var> is either the <a for=internal>internal response</a> of an
+<a>opaque filtered response</a> or a <a for=/>response</a> which will be the
+<a for=internal>internal response</a> of an
+<a>opaque filtered response</a>. [[HTML]]

Add two newlines here. `<h2>`s get a bit of room.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1030#pullrequestreview-428043613

Received on Wednesday, 10 June 2020 13:25:56 UTC