Skip to content

Pass a top-level navigation initiator origin to Fetch #10991

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Pass a top-level navigation initiator origin to Fetch #10991

wants to merge 1 commit into from

Conversation

bvandersloot-mozilla
Copy link

@bvandersloot-mozilla bvandersloot-mozilla commented Feb 4, 2025
edited by pr-preview bot
Loading

To un-logjam the cookie layering work, I've started whatwg/fetch#1807. That depends on this info to be piped into Fetch so we can actually specify in WHATWG what SameSite=Strict means.

This patch plumbs that through on top-level navigatable fetches.

This doesn't build because it relies upon the corresponding patch in Fetch. Let me know to land these.

  • At least two implementers are interested (and none opposed):
  • Tests are written and can be reviewed and commented upon at:
    • change is not observable, not needed?
  • Implementation bugs are filed:
    • change is to update spec interfacing, not needed?
  • Corresponding HTML AAM & ARIA in HTML issues & PRs:
  • MDN issue is filed:
    • I don't think this is needed?
  • The top of this comment includes a clear commit message to use.

(See WHATWG Working Mode: Changes for more details.)

/browsing-the-web.html ( diff )
/infrastructure.html ( diff )

@bvandersloot-mozilla bvandersloot-mozilla mentioned this pull request Feb 4, 2025
Open
5 tasks
annevk
annevk reviewed Feb 27, 2025
View reviewed changes
Copy link
Member

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @johannhof

annevk
annevk reviewed Mar 7, 2025
View reviewed changes
Copy link
Member

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think one thing we identified that's worth looking into here is what happens if OPENER opens POPUP and then attempts to navigate POPUP's EMBED using named targeting.

@domenic domenic mentioned this pull request Mar 10, 2025
Open
6 tasks
@bvandersloot-mozilla
Copy link
Author

I think one thing we identified that's worth looking into here is what happens if OPENER opens POPUP and then attempts to navigate POPUP's EMBED using named targeting.

Looking into this, I think the only interesting case here is where OPENER is cross-origin to POPUP, because it is exactly this case where you have a non-ancestor initiator. This isn't possible to do because targeting is blocked by the cross-origin-ness of the opened window. We could test where OPENER and POPUP are same-origin, but that just feels like the existing iframe tests with extra steps. Let me know if you see anything worth testing here, but I don't see it.

annevk
annevk reviewed May 19, 2025
View reviewed changes
source Outdated
@@ -2688,6 +2688,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
<li><dfn data-x="concept-request-user-activation" data-x-href="https://fetch.spec.whatwg.org/#request-user-activation">user-activation</dfn></li>
<li><dfn data-x="concept-request-render-blocking" data-x-href="https://fetch.spec.whatwg.org/#request-render-blocking">render-blocking</dfn></li>
<li><dfn data-x="concept-request-initiator-type" data-x-href="https://fetch.spec.whatwg.org/#request-initiator-type">initiator type</dfn></li>
<li><dfn data-x="concept-request-top-level-navigation-initiator-origin" data-x-href="https://fetch.spec.whatwg.org/#concept-request-top-level-navigation-initiator-origin">top-level navigation initiator origin</dfn></li>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This link will need adjusting per feedback on the Fetch PR.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We just applied s/concept-request-redirect-taint/concept-request-tainted-origin/- are you mixing these up? I think this link is still right, unless you wanted to make a change to fetch.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I fixed this now. We changed Fetch such that Bikeshed generates the ID, which won't include concept-.

annevk
annevk approved these changes May 20, 2025
View reviewed changes
Copy link
Member

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks in order now from my perspective.

@bvandersloot-mozilla @annevk
Pass a top-level navigation initiator origin to Fetch
83c9192 
This helps with the HTTP WG's layered cookies draft integration work. whatwg/fetch#1807 depends on this state being passed in so we can define SameSite=Strict properly.
@annevk annevk mentioned this pull request May 20, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@domenic domenic domenic approved these changes

@annevk annevk annevk approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bvandersloot-mozilla @domenic @annevk