Window global should only inherit COEP for http or initial about:blank documents
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
People
(Reporter: valentin, Assigned: edenchuang)
References
Details
Attachments
(1 file)
https://phabricator.services.mozilla.com/D46903#inline-433725
We should probably be null-checking inherit here, because opener->GetCurrentWindowContext could be null.
I'm a little worried that this will cause us to inherit a COEP for non-http, non-initial-about:blank documents when we shouldn't be. Reading the logic from https://wicg.github.io/cross-origin-embedder-policy/#ref-for-creating-a-new-browsing-context, it looks like we should only inherit from our creator context for the initial about:blank document, and not after that, which is not what the code is doing right now.
Nika, I am not entirely sure in which other situations WindowGlobalActor::BaseInitializer
is getting called. Could you provide an example?
Reporter | ||
Comment 1•4 years ago
|
||
Or maybe you mean cases when we have the opener, but the opener's windowContext has changed in between opening the window and when the global is actually created?
Comment 2•4 years ago
|
||
I tried to clarify this over zoom today.
The issue is that we call WindowGlobalActor::BaseInitializer
for every window which is loaded, meaning that we'll end up calling it multiple times. This could allow it to observe multiple different opener values over time, and inherit the flag for document loads which shouldn't be inheriting.
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Reporter | ||
Updated•4 years ago
|
Reporter | ||
Comment 3•4 years ago
|
||
Hi Jens, I thought I'd be able to make this work, but I don't think my understanding of DOM code is quite good enough.
Could you find someone else to work on this?
Thanks!
Comment 4•4 years ago
|
||
Eden, Tom ?
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 7•4 years ago
|
||
Updated•4 years ago
|
Updated•4 years ago
|
Pushed by nerli@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ec3fb1bc94ea Do not inherit COEP from opener for non-http or non-initial-about:blank documents r=nika
Comment 9•4 years ago
|
||
bugherder |
Updated•4 years ago
|
Description
•