Re: [whatwg/fetch] Specify the behavior of `COEP: credentialless`, (#1229) from Anne van Kesteren on 2021-09-22 (public-webapps-github@w3.org from September 2021)

From: Anne van Kesteren <notifications@github.com>
Date: Wed, 22 Sep 2021 00:42:56 -0700
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/1229/review/760555032@github.com>
@annevk commented on this pull request.

Modulo nits this looks okay to me.

> @@ -1892,6 +1892,26 @@ source of security bugs. Please seek security review for features that deal with
  <a for="URL serializer"><i>exclude fragment</i></a> set to true.
 </ol>
 
+<p>To check <dfn export>Cross-Origin-Embedder-Policy allows credentials</dfn>, given a
+<a for=/>request</a> <var>request</var>, run theses steps:
+
+<ol>
+ <li><p>If <var>request</var>'s <a for=request>mode</a> is not <code>no-cors</code>", return
+ true.</p>
+
+ <li><p>If <var>request</var>'s <a for=request>client</a> is null, return true.</p>
+
+ <li><p>If <var>request</var>'s <a for=request>client</a>'s
+ <a for="environment settings object">policy container</a>'s
+ <a for="policy container">embedder policy</a> is not

This should be embedder policy's value, no?

> @@ -3507,9 +3531,23 @@ Cross-Origin-Resource-Policy     = %s"same-origin" / %s"same-site" / %s"cross-or
  <li><p>If <var>policy</var> is neither `<code>same-origin</code>`, `<code>same-site</code>`, nor
  `<code>cross-origin</code>`, then set <var>policy</var> to null.
 
- <li><p>If <var>policy</var> is null and <var>embedderPolicyValue</var> is
- "<code><a for="embedder policy value">require-corp</a></code>", then set <var>policy</var> to
- `<code>same-origin</code>`.
+ <li>
+  <p>If <var>policy</var> is null, switch on <var>embedderPolicyValue</var>:</p>
+  <dl class=switch>
+   <dt>`<a for="embedder policy value">unsafe-none</a>`
+   <dd> Do nothing.

```suggestion
   <dd><p>Do nothing.
```

> @@ -3507,9 +3531,23 @@ Cross-Origin-Resource-Policy     = %s"same-origin" / %s"same-site" / %s"cross-or
  <li><p>If <var>policy</var> is neither `<code>same-origin</code>`, `<code>same-site</code>`, nor
  `<code>cross-origin</code>`, then set <var>policy</var> to null.
 
- <li><p>If <var>policy</var> is null and <var>embedderPolicyValue</var> is
- "<code><a for="embedder policy value">require-corp</a></code>", then set <var>policy</var> to
- `<code>same-origin</code>`.
+ <li>
+  <p>If <var>policy</var> is null, switch on <var>embedderPolicyValue</var>:</p>
+  <dl class=switch>
+   <dt>`<a for="embedder policy value">unsafe-none</a>`
+   <dd> Do nothing.
+
+   <dt>`<a for="embedder policy value">credentialless</a>`
+   <dd> Set <var>policy</var> to `<code>same-origin</code>` if one of the following is true:

You also need to indent the `<ul>` below accordingly.
```suggestion
   <dd>
    <p>Set <var>policy</var> to `<code>same-origin</code>` if one of the following is true:
```

> - `<code>same-origin</code>`.
+ <li>
+  <p>If <var>policy</var> is null, switch on <var>embedderPolicyValue</var>:</p>
+  <dl class=switch>
+   <dt>`<a for="embedder policy value">unsafe-none</a>`
+   <dd> Do nothing.
+
+   <dt>`<a for="embedder policy value">credentialless</a>`
+   <dd> Set <var>policy</var> to `<code>same-origin</code>` if one of the following is true:
+   <ul>
+    <li><var>response</var>'s <a for="response">request-include-credentials</a> is true.
+    <li><var>forNavigation</var> is true.
+   </ul>
+
+   <dt>`<a for="embedder policy value">require-corp</a>`
+   <dd> Set <var>policy</var> to `<code>same-origin</code>`.

```suggestion
   <dd><p>Set <var>policy</var> to `<code>same-origin</code>`.
```

> @@ -4668,6 +4706,9 @@ steps. They return a <a for=/>response</a>.
 
     <p>is true; otherwise false.
 
+   <li><p>If <a>Cross-Origin-Embedder-Policy allows credentials</a> with <var>request</var> returns
+   false, set <var>includeCredentials</var> to false.</p>

```suggestion
   false, then set <var>includeCredentials</var> to false.</p>
```

> @@ -1892,6 +1892,24 @@ source of security bugs. Please seek security review for features that deal with
  <a for="URL serializer"><i>exclude fragment</i></a> set to true.
 </ol>
 
+<p>To check <dfn export>Cross-Origin-Embedder-Policy allows credentials</dfn>, given a
+<a for=/>request</a> <var>request</var>, run theses steps:
+
+<ol>
+ <li><p>If <var>request</var>'s <a for=request>mode</a> is not <code>no-cors</code>", return

Ah sorry I missed this, I meant that instead of "return", write "then return". That's the convention this specification uses for if statements.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/1229#pullrequestreview-760555032
Received on Wednesday, 22 September 2021 07:43:08 UTC