From 8455c3167a5e359ea8e8654792f68deabb05f4f5 Mon Sep 17 00:00:00 2001 From: Mike West Date: Mon, 7 Oct 2019 09:19:58 +0200 Subject: [PATCH] Revisit navigation requests' `destination`. As discussed in w3c/webappsec-fetch-metadata#45, this patch splits the `document` destination into `document`, `frame`, and `iframe`. These destinations distinguish top-level navigation from nested navigation, and exposing this data via `Sec-Fetch-Dest` will allow developers to better understand the nature of a request. This patch also redefines "navigation request" and "non-subresource request" to include `embed` and `object` destinations as a consequence of the conversation in [1], which will also change the `mode` of those requests from `no-cors` to `navigate` [2]. These changes are covered by WPT in //fetch/metadata, specifically [3], [4], [5], and [6]. [1]: https://github.com/whatwg/fetch/pull/948#discussion_r331896073 [2]: https://github.com/whatwg/html/pull/4976/files [3]: https://github.com/web-platform-tests/wpt/blob/master/fetch/metadata/embed.tentative.https.sub.html [4]: https://github.com/web-platform-tests/wpt/blob/master/fetch/metadata/object.tentative.https.sub.html [5]: https://github.com/web-platform-tests/wpt/blob/master/fetch/metadata/iframe.tentative.https.sub.html [6]: https://github.com/web-platform-tests/wpt/blob/master/fetch/metadata/navigation.tentative.https.sub.html --- fetch.bs | 37 ++++++++++++++++++++----------------- 1 file changed, 20 insertions(+), 17 deletions(-) diff --git a/fetch.bs b/fetch.bs index 1591ca269..8a9a30280 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1185,6 +1185,8 @@ the empty string, "document", "embed", "font", +"frame", +"iframe", "image", "manifest", "object", @@ -1228,7 +1230,7 @@ not always relevant and might require different behavior. CSP directive Features - "" + "" "report" — CSP, NEL reports. @@ -1236,9 +1238,13 @@ not always relevant and might require different behavior. "document" HTML's navigate algorithm. - "document" + "frame" + child-src + HTML's <frame> + + "iframe" child-src - HTML's <iframe> and <frame> + HTML's <iframe> "" connect-src @@ -1604,19 +1610,15 @@ whose destination is "audio", "audioworkle "script", "style", "track", "video", "xslt", or the empty string. -

A potential-navigation-or-subresource request is a -request whose -destination is -"object" or "embed". -

A non-subresource request is a request -whose destination is "document", -"report", "serviceworker", "sharedworker", -or "worker". +whose destination is "document", "embed", +"frame", "iframe", "object", "report", +"serviceworker", "sharedworker", or "worker".

A navigation request is a request whose destination is -"document". +"document", "embed", "frame", "iframe", +or "object".

See handle fetch for usage of these terms. [[!SW]] @@ -3262,16 +3264,17 @@ the request.

  1. Let value be `*/*`. -

  2. If request is a navigation request, a user agent should set - value to - `text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8`. -

  3. Otherwise, a user agent should set value to the first matching statement, if any, switching on request's destination:

    +
    "document" +
    "frame" +
    "iframe" +
    `text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8` +
    "image"
    `image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5` @@ -5823,7 +5826,7 @@ dictionary RequestInit { any window; // can only be set to null }; -enum RequestDestination { "", "audio", "audioworklet", "document", "embed", "font", "image", "manifest", "object", "paintworklet", "report", "script", "sharedworker", "style", "track", "video", "worker", "xslt" }; +enum RequestDestination { "", "audio", "audioworklet", "document", "embed", "font", "frame", "iframe", "image", "manifest", "object", "paintworklet", "report", "script", "sharedworker", "style", "track", "video", "worker", "xslt" }; enum RequestMode { "navigate", "same-origin", "no-cors", "cors" }; enum RequestCredentials { "omit", "same-origin", "include" }; enum RequestCache { "default", "no-store", "reload", "no-cache", "force-cache", "only-if-cached" };