Skip to content

Commit

Permalink
Anonymous iframe
Browse files Browse the repository at this point in the history 
Explainer:
https://github.com/camillelamy/explainers/blob/main/anonymous_iframes.md

Chrome status:
https://chromestatus.com/feature/5729461725036544

Summary:
- Define the anonymous flag for iframe and Window.
- Inheritance is defined similarly to sandbox. However it do not propage
  toward popups.
- Popup opened from anonymous Window use 'noopener'.
- Navigation in anonymous iframe are allowed, even if the embedder has
  COEP:require-corp|credentialless and the response do not.
- Define the `page anonymous nonce`, it is used for anonymous Window as
  an additional keys in:
  - network-partition-keys,
  - storage-partition-keys,
  - cookie-partition-keys
  This ensures the document is loaded within a new and ephemeral
  context. This prevents a cross-origin-isolated parent from stealing
  important data from its child, via a Spectre Attack.
- Password autofill must be disabled inside anonymous Window.

XXX: implement the corresponding parts on top of:
- Fetch => network-partition-keys
- StoragePartitioning => storage-partition-keys
- CookieHavingIndependantState => cookie-partition-key
- Worker.
  • Loading branch information
@ArthurSonzogni
ArthurSonzogni committed Mar 10, 2022
1 parent deef8ba commit 149b30f
Showing 1 changed file with 131 additions and 26 deletions.
157 changes: 131 additions & 26 deletions source
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2494,6 +2494,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
<li><dfn data-x="body safely extract" data-x-href="https://fetch.spec.whatwg.org/#bodyinit-safely-extract">safely extracting a body</dfn></li>
<li><dfn data-x-href="https://fetch.spec.whatwg.org/#process-response-end-of-body">processResponseConsumeBody</dfn></li>
<li><dfn data-x-href="https://fetch.spec.whatwg.org/#fetch-processresponseendofbody">processResponseEndOfBody</dfn></li>
<li><dfn data-x-href="https://fetch.spec.whatwg.org/#network-partition-keys">network-partition-keys</dfn></li>
<li>
<dfn data-x="concept-response"
data-x-href="https://fetch.spec.whatwg.org/#concept-response">response</dfn> and its
Expand Down Expand Up @@ -30831,6 +30832,7 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></code></pre>
<dd><code data-x="attr-dim-height">height</code></dd>
<dd><code data-x="attr-iframe-referrerpolicy">referrerpolicy</code></dd>
<dd><code data-x="attr-iframe-loading">loading</code></dd>
<dd><code data-x="attr-iframe-anonymous">anonymous</code></dd>
<dt><span
data-x="concept-element-accessibility-considerations">Accessibility considerations</span>:</dt>
<dd><a href="https://w3c.github.io/html-aria/#el-iframe">For authors</a>.</dd>
Expand Down Expand Up @@ -31541,6 +31543,12 @@ interface <dfn interface>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
<li><p>Invoke <var>resumptionSteps</var>.</p></li>
</ol>

<hr> <!-- ANONYMOUS ATTRIBUTE -->

<p>The <dfn element-attr for="iframe"><code data-x="attr-iframe-anonymous">anonymous</code></dfn>
attribute, enables loading documents hosted by the <code>iframe</code> with a new and ephemeral
storage partition. It is a boolean value. The default is false.</p>

<hr> <!-- FALLBACK -->

<p>Descendants of <code>iframe</code> elements represent nothing. (In legacy user agents that do
Expand Down Expand Up @@ -80302,6 +80310,10 @@ popup4.close();</code></pre></div>
<li><p>Let <var>sandboxFlags</var> be the result of <span>determining the creation sandboxing
flags</span> given <var>browsingContext</var> and <var>embedder</var>.</p></li>

<li><p>Let <var>anonymous</var> be the result of determining the <span
data-x="initial-window-anonymous">initial window anonymous</span> flag, given
<var>browsingContext</var>.</p></li>

<!--
This step does not need to use |embedder|, because determining the origin only consults the
container when the url argument is about:srcdoc. However, here we always pass about:blank.
Expand All @@ -80326,7 +80338,8 @@ popup4.close();</code></pre></div>
realm</span> given <var>agent</var> and the following customizations:</p>

<ul>
<li><p>For the global object, create a new <code>Window</code> object.</p></li>
<li><p>For the global object, create a new <code>Window</code> object, with <code
data-x="attr-iframe-anonymous">anonymous</code> set to <var>anonymous</var>.</p></li>

<li><p>For the global <b>this</b> binding, use <var>browsingContext</var>'s
<code>WindowProxy</code> object.</li>
Expand Down Expand Up @@ -81701,6 +81714,7 @@ interface <dfn interface>Window</dfn> : <span>EventTarget</span> {
attribute DOMString <span data-x="dom-window-status">status</span>;
undefined <span data-x="dom-window-close">close</span>();
readonly attribute boolean <span data-x="dom-window-closed">closed</span>;
readonly attribute boolean <span data-x="dom-window-anonymous">anonymous</span>;
undefined <span data-x="dom-window-stop">stop</span>();
undefined <span data-x="dom-window-focus">focus</span>();
undefined <span data-x="dom-window-blur">blur</span>();
Expand Down Expand Up @@ -81900,6 +81914,9 @@ dictionary <dfn dictionary>WindowPostMessageOptions</dfn> : <span>StructuredSeri

<li><p>If <var>noreferrer</var> is true, then set <var>noopener</var> to true.</p></li>

<li><p>If <span>entry global object</span>'s <span data-x="dom-window-anonymous">anonymous</span>
flag is true, then set <var>noopener</var> to true.</p></li>

<li>
<p>Let <var>target browsing context</var> and <var>windowType</var> be the result of applying
<span>the rules for choosing a browsing context</span> given <var>target</var>, <var>source
Expand Down Expand Up @@ -84050,6 +84067,70 @@ interface <dfn interface>BarProp</dfn> {



<h3>Anonymous iframe</h3>

<p>Each <code>iframe</code> element has a mutable <code
data-x="attr-iframe-anonymous">anonymous</code> flag attribute.</p>

<p>Each <code>Window</code> has a constant <dfn attribute for="Window"
data-x="dom-window-anonymous"><code>anonymous</code></dfn> flag.</p>

<p>An <dfn>anonymous Window</dfn> is a <code>Window</code>, whose <code
data-x="dom-window-anonymous">anonymous</code> flag is true.</p>

<p>To compute the <dfn data-x="initial-window-anonymous">initial window anonymous flag</dfn>,
given a new <span data-x="concept-document-bc">browsing context</span> <var>browsing
context</var>:</p>
<ol class="brief">
<li><p>Set <var>embedder</var> be <var>browsing context</var>'s <span
data-x="bc-container">container</span>.</p>
<li><p>If <var>embedder</var> is not an element, return false.</p></li>
<li><p>Otherwise, set <var>parentWindow</var> be the <var>embedder</var>'s <span>node
document</span>'s <span>relevant global object</span>.</p></li>
<li><p>Return the union of:</p>
<ul class="brief">
<li><p><var>parentWindow</var>'s <code attribute for="Window"
data-x="dom-window-anonymous">anonymous</code></p></li>
<li><p><var>embedder</var>'s <span><code>iframe</code></span>'s <code
data-x="attr-iframe-anonymous">anonymous</code></p></li>
</ul>
</li>
</ol>

<p>To compute the <dfn data-x="navigation-anonymous">navigation's anonymous flag</dfn>,
given <span data-x="concept-document-bc">browsing context</span> <var>browsing
context</var>, follows the same steps as in the <span
data-x="initial-window-anonymous">initial window anonymous flag</span> algorithm.</p>

<p class="note">New <code>Window</code>'s <code data-x="dom-window-anonymous">anonymous</code>
flag is computed either from the <span data-x="initial-window-anonymous">initial window anonymous
flag</span> algorithm for new <span data-x="concept-document-bc">browsing context</span>, or from
the <span data-x="navigation-anonymous">navigation's anonymous flag</span> algorithm, executed
when the navigation started, for navigations inside pre-existing <span
data-x="concept-document-bc">browsing context</span>.</p>

<p class="note">Popup opened from <span>anonymous Window</span> are always with 'noopener' set</p>

<p class="note">Top-level <span>anonymous Window</span> do not exist.</p>

<p>Each top-level <span>Window</span> has an associated <dfn export>page anonymous nonce</dfn>. It
is an immutable nonce ("number used once").</p>

<p class="XXX">The <span>page anonymous nonce</span> is meant to be used for <span>anonymous
Window</span> as a key in <span>network-partition-keys</span>, storage-partition-keys, and
cookie-partition-keys for <span>anonymous Window</span>. See <a
href="https://github.com/whatwg/fetch/issues/904">Network state partitionning</a>, <a
href="https://privacycg.github.io/storage-partitioning/">Client-Side Storage Partitioning</a>, and
<a href="https://github.com/WICG/CHIPS">CHIPS (Cookies Having Independant Partitioned
State</a>.</p>

<p><dfn>Autofill and anonymous iframe</dfn>: User agents sometimes have features for helping users
fill forms in: for example prefilling the user's address, password, or payment informations. User
agents must disable those features when the data is both specific to the user and to the website.
</p>



<h3>Cross-origin opener policies</h3>

<p>A <dfn>cross-origin opener policy value</dfn> allows a document which is navigated to in a
Expand Down Expand Up @@ -85422,7 +85503,8 @@ interface <dfn interface>BarProp</dfn> {

<p>To <dfn>check a navigation response's adherence to its embedder policy</dfn> given a <span
data-x="concept-response">response</span> <var>response</var>, a <span>browsing context</span>
<var>target</var>, and an <span>embedder policy</span> <var>responsePolicy</var>:</p>
<var>target</var>, an <span>embedder policy</span> <var>responsePolicy</var>, and a boolean
<var>anonymous</var>:</p>

<ol>
<li><p>If <var>target</var> is not a <span>child browsing context</span>, then return
Expand All @@ -85435,18 +85517,18 @@ interface <dfn interface>BarProp</dfn> {

<li><p>If <var>parentPolicy</var>'s <span data-x="embedder-policy-report-only-value">report-only
value</span> is <span>compatible with cross-origin isolation</span> and
<var>responsePolicy</var>'s <span data-x="embedder-policy-value">value</span> is not, then
<span>queue a cross-origin embedder policy inheritance violation</span> with <var>response</var>,
"<code data-x="">navigation</code>", <var>parentPolicy</var>'s <span
data-x="embedder-policy-report-only-reporting-endpoint">report only reporting endpoint</span>,
"<code data-x="">reporting</code>", and <var>target</var>'s <span
<var>responsePolicy</var>'s <span data-x="embedder-policy-value">value</span> is not, and
<var>anonymous</var> is false, then <span>queue a cross-origin embedder policy inheritance
violation</span> with <var>response</var>, "<code data-x="">navigation</code>",
<var>parentPolicy</var>'s <span data-x="embedder-policy-report-only-reporting-endpoint">report
only reporting endpoint</span>, "<code data-x="">reporting</code>", and <var>target</var>'s <span
data-x="bc-container-document">container document</span>'s <span>relevant settings
object</span>.</p></li>

<li><p>If <var>parentPolicy</var>'s <span data-x="embedder-policy-value">value</span> is not
<span>compatible with cross-origin isolation</span> or <var>responsePolicy</var>'s <span
data-x="embedder-policy-value">value</span> is <span>compatible with cross-origin
isolation</span>, then return true.</p></li>
isolation</span>, or <var>anonymous</var> is true, then return true.</p></li>

<li><p><span>Queue a cross-origin embedder policy inheritance violation</span> with
<var>response</var>, "<code data-x="">navigation</code>", <var>parentPolicy</var>'s <span
Expand Down Expand Up @@ -87571,6 +87653,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
<dt><dfn data-x="navigation-params-sandboxing">final sandboxing flag set</dfn></dt>
<dd>a <span>sandboxing flag set</span> to impose on the new <code>Document</code></dd>

<dt><dfn data-x="navigation-params-anonymous">anonymous</dfn></dt>
<dd>The anonymous flag to impose on the new <code>Window</code></dd>

<dt><dfn data-x="navigation-params-coop">cross-origin opener policy</dfn></dt>
<dd>a <span>cross-origin opener policy</span> to use for the new <code>Document</code></dd>

Expand Down Expand Up @@ -87823,6 +87908,10 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
flags</span> given <var>browsingContext</var> and <var>browsingContext</var>'s <span
data-x="bc-container">container</span>.</p></li>

<li><p>Let <var>anonymous</var> be the result of computing the <span
data-x="navigation-anonymous">navigation's anonymous flag</span>, given
<var>browsingContext.</var></p></li>

<li><p>Let <var>allowedToDownload</var> be the result of running the <span>allowed to
download</span> algorithm given the <span>source browsing context</span> and
<var>browsingContext</var>.</p></li>
Expand Down Expand Up @@ -87893,8 +87982,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
data-x="navigation-params-policy-container">policy container</span> is
<var>policyContainer</var>, <span data-x="navigation-params-sandboxing">final sandboxing
flag set</span> is <var>finalSandboxFlags</var>, <span
data-x="navigation-params-coop">cross-origin opener policy</span> is <var>coop</var>, <span
data-x="navigation-params-coop-enforcement-result">COOP enforcement result</span> is
data-x="navigation-params-anonymous">anonymous</span> is <var>anonymous</var>, <span
data-x="navigation-params-coop">cross-origin opener policy</span> is <var>coop</var>,
<span data-x="navigation-params-coop-enforcement-result">COOP enforcement result</span> is
<var>coopEnforcementResult</var>, <span
data-x="navigation-params-reserved-environment">reserved environment</span> is null, <span
data-x="navigation-params-browsing-context">browsing context</span> is
Expand Down Expand Up @@ -87950,8 +88040,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
data-x="navigation-params-policy-container">policy container</span> is
<var>browsingContext</var>'s <span>active document</span>'s <span>policy container</span>,
<span data-x="navigation-params-sandboxing">final sandboxing flag set</span> is
<var>finalSandboxFlags</var>, <span data-x="navigation-params-coop">cross-origin opener
policy</span> is <var>browsingContext</var>'s <span>active document</span>'s <span
<var>finalSandboxFlags</var>, <span data-x="navigation-params-anonymous">anonymous</span> is
<var>anonymous</var>, <span data-x="navigation-params-coop">cross-origin opener policy</span>
is <var>browsingContext</var>'s <span>active document</span>'s <span
data-x="concept-document-coop">cross-origin opener policy</span>, <span
data-x="navigation-params-coop-enforcement-result">COOP enforcement result</span> is
<var>coopEnforcementResult</var>, <span
Expand Down Expand Up @@ -87986,10 +88077,11 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location

<dd><p>Run <span>process a navigate fetch</span> given <var>navigationId</var>,
<var>resource</var>, the <span>source browsing context</span>, <var>browsingContext</var>,
<var>navigationType</var>, <var>sandboxFlags</var>, <var>historyPolicyContainer</var>,
<var>initiatorPolicyContainer</var>, <var>allowedToDownload</var>,
<var>hasTransientActivation</var>, <var>incumbentNavigationOrigin</var>,
<var>historyHandling</var>, and <var>unsafeNavigationStartTime</var>.</p></dd>
<var>navigationType</var>, <var>sandboxFlags</var>, <var>anonymous</var>,
<var>historyPolicyContainer</var>, <var>initiatorPolicyContainer</var>,
<var>allowedToDownload</var>, <var>hasTransientActivation</var>,
<var>incumbentNavigationOrigin</var>, <var>historyHandling</var>, and
<var>unsafeNavigationStartTime</var>.</p></dd>

<dt>Otherwise, <var>resource</var> is a <span data-x="concept-request">request</span> whose
<span data-x="concept-request-url">URL</span>'s <span data-x="concept-url-scheme">scheme</span>
Expand All @@ -88006,12 +88098,12 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
data-x="navigation-id">navigation id</span> <var>navigationId</var>, <span
data-x="concept-request">request</span> <var>request</var>, two <span data-x="browsing
context">browsing contexts</span> <var>sourceBrowsingContext</var> and <var>browsingContext</var>,
a string <var>navigationType</var>, a <span>sandboxing flag set</span> <var>sandboxFlags</var>,
two <span data-x="policy container">policy containers</span> <var>historyPolicyContainer</var> and
<var>initiatorPolicyContainer</var>, a boolean <var>allowedToDownload</var>, a boolean
<var>hasTransientActivation</var>, an <span>origin</span> <var>incumbentNavigationOrigin</var>,
a <span>history handling behavior</span> <var>historyHandling</var>, and a number
<var>unsafeNavigationStartTime</var>:</p>
a string <var>navigationType</var>, a <span>sandboxing flag set</span> <var>sandboxFlags</var>, a
boolean <var>anonymous</var>, two <span data-x="policy container">policy containers</span>
<var>historyPolicyContainer</var> and <var>initiatorPolicyContainer</var>, a boolean
<var>allowedToDownload</var>, a boolean <var>hasTransientActivation</var>, an <span>origin</span>
<var>incumbentNavigationOrigin</var>, a <span>history handling behavior</span>
<var>historyHandling</var>, and a number <var>unsafeNavigationStartTime</var>:</p>

<ol>
<li><p>Let <var>response</var> be null.</p></li>
Expand Down Expand Up @@ -88290,6 +88382,7 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
data-x="navigation-params-policy-container">policy container</span> is
<var>resultPolicyContainer</var>, <span data-x="navigation-params-sandboxing">final sandboxing
flag set</span> is <var>finalSandboxFlags</var>, <span
data-x="navigation-params-anonymous">anonymous</span> is <var>anonymous</var>, <span
data-x="navigation-params-coop">cross-origin opener policy</span> is <var>responseCOOP</var>,
<span data-x="navigation-params-coop-enforcement-result">COOP enforcement result</span> is
<var>coopEnforcementResult</var>, <span data-x="navigation-params-reserved-environment">reserved
Expand Down Expand Up @@ -88339,8 +88432,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
embedder policy">checking a navigation response's adherence to its embedder policy</span> given
<var>response</var>, <var>browsingContext</var>, and <var>navigationParams</var>'s <span
data-x="navigation-params-policy-container">policy container</span>'s <span
data-x="policy-container-embedder-policy">embedder policy</span> is false, then set
<var>failure</var> to true.</p>
data-x="policy-container-embedder-policy">embedder policy</span> and
<var>navigationparams</var>'s <span data-x="navigation-params-anonymous">anonymous</span> flag
is false, then set <var>failure</var> to true.</p>

<p>Otherwise, if the result of <span data-x="check a navigation response's adherence to
`X-Frame-Options`">checking a navigation response's adherence to
Expand Down Expand Up @@ -88705,7 +88799,10 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
data-x="hh-replace">replace</code>", and <var>browsingContext</var>'s <span>active
document</span>'s <span data-x="concept-document-origin">origin</span> is <span>same
origin-domain</span> with <var>navigationParams</var>'s <span
data-x="navigation-params-origin">origin</span>, then do nothing.</p>
data-x="navigation-params-origin">origin</span>, and <var>browsingContext</var>'s <span>active
window</span>'s <span data-x="dom-window-anonymous">anonymous</span> flag matches
<var>navigationParams</var>'s <span data-x="navigation-params-anonymous">anonymous</span> flag,
then do nothing.</p>

<p class="note">This means that both the <span data-x="is initial about:blank">initial
<code>about:blank</code></span> <code>Document</code>, and the new <code>Document</code> that is
Expand Down Expand Up @@ -88739,7 +88836,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
realm</span> given <var>agent</var> and the following customizations:</p>

<ul>
<li><p>For the global object, create a new <code>Window</code> object.</p></li>
<li><p>For the global object, create a new <code>Window</code> object, with <code
data-x="attr-iframe-anonymous">anonymous</code> to <var>navigationParams</var>'s <span
data-x="navigation-params-anonymous">anonymous</span>.</p></li>

<li><p>For the global <b>this</b> binding, use <var>browsingContext</var>'s
<code>WindowProxy</code> object.</p></li>
Expand Down Expand Up @@ -123826,6 +123925,12 @@ interface <dfn interface>External</dfn> {
<code data-x="attr-input-alt">input</code>
<td> Replacement text for use when images are not available
<td> <a href="#attribute-text">Text</a>*
<tr>
<th> <code data-x="">anonymous</code>
<td> <code data-x="attr-iframe-anonymous">iframe</code>
<td> Whether the <code>iframe</code>'s contents to be loaded using a new ephemeral storage
partition.
<td> <span>Boolean attribute</span>
<tr>
<th> <code data-x="">as</code>
<td> <code data-x="attr-link-as">link</code>
Expand Down

0 comments on commit 149b30f

Please sign in to comment.