Use "navigation request's policy container's CSP list" instead of "navigation request's client's global object's CSP list"

[mbrodesser-Igalia]

Complements #494 in order to make the spec consistent.

Preparation for fixing whatwg/html#4651.

---

Preview | Diff

[antosart]

I think the problem with this is that navigation request's policy container is initially "client" and is only updated to the source document's policy container thing during fetch (https://fetch.spec.whatwg.org/#concept-request-policy-container), while javascript: url navigations do not go through fetch. I think if you want this to work you need to set navigation request's policy container before this check is called from html.

Or am I missing anything?

[mbrodesser-Igalia]

I think the problem with this is that navigation request's policy container is initially "client" and is only updated to the source document's policy container thing during fetch (https://fetch.spec.whatwg.org/#concept-request-policy-container), while javascript: url navigations do not go through fetch.

Correct.

There seems to be another issue, which should be addressed outside of this PR:

The request's policy container is set only in ¹, step 12. "should navigation request of type be blocked by Content Security Policy?" is called from ², step 19.3. ¹ is called from step 19.5 of ². So during the first iteration of the while-loop at step 19 of ², the request's policy container will be its default value, "client". ³ doesn't handle "client", though.

I think if you want this to work you need to set navigation request's policy container before this check is called from html.

Yes.

The call from html, ⁴, step 5 is already broken since the request's client isn't set.

A corrective way forward here would be to merge this PR only together with setting the navigation request's policy container in the HTML spec. WDYT?

Or am I missing anything?

Footnotes

1. https://fetch.spec.whatwg.org/#concept-fetch ↩ ↩²

2. https://html.spec.whatwg.org/multipage/browsing-the-web.html#create-navigation-params-by-fetching ↩ ↩² ↩³

3. https://www.w3.org/TR/CSP3/#should-block-navigation-request ↩

4. https://html.spec.whatwg.org/multipage/browsing-the-web.html#the-javascript:-url-special-case ↩

[antosart]

Right! Thanks for the deep investigation, this makes sense to me.

I agree the best thing is to set navigation request's policy container in html before calling the CSP check.

[ciaramcmullin]

Blocked on whatwg/html#10796

[domenic]

I have created an updated version of this at #705 which integrates with whatwg/html#10949. Review and merging would be lovely.

After some more discussion in whatwg/html#10949, it turns out this PR works well as-is, and we only needed to fix HTML. Please merge it.

[domenic]

I've merged the HTML PR, so please merge this whenever it is convenient!

[antosart]

Thanks @domenic!