Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add early return to JS dialogs triggered from different origin-domain iframes #6297

Merged
merged 1 commit into from
Feb 8, 2021

Conversation

carlosjoan91
Copy link
Contributor

@carlosjoan91 carlosjoan91 commented Jan 16, 2021

This adds an early return for window.{alert,confirm,prompt} when triggered from a different origin-domain iframe.
Implementation for this change is in progress both in Chrome and Firefox, and was supported by Webkit (see
discussion on issue #5407)

Checklist:


/acknowledgements.html ( diff )
/timers-and-user-prompts.html ( diff )

source Outdated Show resolved Hide resolved
@domenic
Copy link
Member

domenic commented Jan 19, 2021

Can you restore the PR template you deleted, so that we can properly check the boxes for implementer interest, web platform tests, and bugs filed?

@carlosjoan91
Copy link
Contributor Author

Can you restore the PR template you deleted, so that we can properly check the boxes for implementer interest, web platform tests, and bugs filed?

Done

Copy link
Member

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At some point these three methods should probably be refactored to share a bunch of logic so that we don't end up repeating it three times over, but that's not needed for this. Looks good to me modulo nit.

source Outdated Show resolved Hide resolved
@domenic
Copy link
Member

domenic commented Jan 20, 2021

Awesome! Please let us know when the WPTs are ready, then we can merge.

@annevk annevk added the needs tests Moving the issue forward requires someone to write tests label Jan 21, 2021
domenic added a commit that referenced this pull request Jan 26, 2021
This contains a small bug fix, in that confirm() and prompt() said
"return" in some cases instead of "return false" or "return null" as
appropriate.

Other notable changes, all editorial, are:

* Factoring out repeated "cannot show modals" steps, which will likely
  expand over time (see e.g. #6297).
* Separating out and explaining the no-argument overload of alert().
* Passing the document through to the "printing steps", instead of just
  having them talk about "this Window object".
domenic added a commit that referenced this pull request Jan 27, 2021
This contains a small bug fix, in that confirm() and prompt() said
"return" in some cases instead of "return false" or "return null" as
appropriate.

Other notable changes, all editorial, are:

* Factoring out repeated "cannot show simple dialogs" steps, which will
  likely expand over time (see e.g. #6297).
* Separating out and explaining the no-argument overload of alert().
* Passing the document through to the "printing steps", instead of just
  having them talk about "this Window object".
@domenic
Copy link
Member

domenic commented Jan 27, 2021

I rebased this on #6330. Ping on any web platform tests progress?

@carlosjoan91
Copy link
Contributor Author

Hey domenic, I'm planning to add the WPT together with the Chromium side implementation, and I have an almost ready Chromium CL. Between code review and the upstream process to the WPT repo, my guess is tests will be merged by Friday or over the weekend.

@carlosjoan91
Copy link
Contributor Author

Quick update: The chromium implementation and WPT tests are now done, but I'm debugging a flake in the test, so the PR hasn't been merged yet (web-platform-tests/wpt#27435)

Copy link
Member

@domenic domenic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Merging! Thanks so much for working on this!

@domenic domenic merged commit 7c8fb86 into whatwg:main Feb 8, 2021
webkit-commit-queue pushed a commit to WebKit/WebKit that referenced this pull request Feb 9, 2021
https://bugs.webkit.org/show_bug.cgi?id=221568

Reviewed by Geoff Garen.

Source/WebCore:

Disallow alert/confirm/prompt in cross-origin-domain subframes as per the latest HTML specification:
- whatwg/html#6297

Tests: http/tests/security/cross-origin-js-prompt-forbidden.html
       http/tests/security/same-origin-different-domain-js-prompt-forbidden.html

* page/DOMWindow.cpp:
(WebCore::DOMWindow::alert):
(WebCore::DOMWindow::confirmForBindings):
(WebCore::DOMWindow::prompt):
* page/SecurityOrigin.cpp:
* page/SecurityOrigin.h:

LayoutTests:

Add layout test coverage and update existing tests to stop using alert() in cross-origin iframes.

* fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt:
* fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html:
* fast/events/popup-when-select-change-expected.txt:
* fast/events/popup-when-select-change.html:
* fast/events/resize-subframe-expected.txt:
* fast/events/resize-subframe.html:
* fast/forms/autofocus-in-sandbox-with-allow-scripts-expected.txt:
* fast/forms/autofocus-in-sandbox-with-allow-scripts.html:
* fast/frames/resources/navigate-top-by-name-to-fail.html:
* fast/frames/sandboxed-iframe-navigation-top-by-name-denied-expected.txt:
* http/tests/cookies/resources/third-party-cookie-relaxing-iframe.html:
* http/tests/cookies/third-party-cookie-relaxing-expected.txt:
* http/tests/history/cross-origin-replace-history-object-child-expected.txt:
* http/tests/history/cross-origin-replace-history-object-expected.txt:
* http/tests/history/resources/cross-origin-replaces-history-object-child-iframe.html:
* http/tests/history/resources/cross-origin-replaces-history-object-iframe.html:
* http/tests/plugins/resources/third-party-cookie-accept-policy-iframe.html:
* http/tests/plugins/third-party-cookie-accept-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/embed-redirect-allowed-expected.txt:
* http/tests/security/contentSecurityPolicy/embed-redirect-allowed2-expected.txt:
* http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load-expected.txt:
* http/tests/security/contentSecurityPolicy/iframe-allowed-when-loaded-via-javascript-url-expected.txt:
* http/tests/security/contentSecurityPolicy/iframe-inside-csp-expected.txt:
* http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src-expected.txt:
* http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2-expected.txt:
* http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src-expected.txt:
* http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2-expected.txt:
* http/tests/security/contentSecurityPolicy/object-redirect-allowed-expected.txt:
* http/tests/security/contentSecurityPolicy/object-redirect-allowed2-expected.txt:
* http/tests/security/contentSecurityPolicy/resources/alert-fail.html:
* http/tests/security/contentSecurityPolicy/resources/alert-fail.js:
(catch):
* http/tests/security/contentSecurityPolicy/resources/alert-pass.html:
* http/tests/security/contentSecurityPolicy/resources/alert-pass.js:
(catch):
* http/tests/security/contentSecurityPolicy/resources/sandbox.php:
* http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php:
* http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-control-expected.txt:
* http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-expected.txt:
* http/tests/security/contentSecurityPolicy/sandbox-report-only-expected.txt:
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt:
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content-expected.txt:
* http/tests/security/cross-origin-js-prompt-forbidden-expected.txt: Added.
* http/tests/security/cross-origin-js-prompt-forbidden.html: Added.
* http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-iframe.html:
* http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-opened-frame.html:
* http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt:
* http/tests/security/mixedContent/resources/frame-with-insecure-websocket.html:
* http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe-expected.txt:
* http/tests/security/resources/cross-origin-js-prompt-forbidden.html: Added.
* http/tests/security/same-origin-different-domain-js-prompt-forbidden-expected.txt: Added.
* http/tests/security/same-origin-different-domain-js-prompt-forbidden.html: Added.
* http/tests/security/xssAuditor/base-href-control-char-expected.txt:
* http/tests/security/xssAuditor/base-href-direct-expected.txt:
* http/tests/security/xssAuditor/base-href-expected.txt:
* http/tests/security/xssAuditor/base-href-null-char-expected.txt:
* http/tests/security/xssAuditor/base-href-safe-expected.txt:
* http/tests/security/xssAuditor/base-href-safe2-expected.txt:
* http/tests/security/xssAuditor/base-href-safe3-expected.txt:
* http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt:
* http/tests/security/xssAuditor/cached-frame-expected.txt:
* http/tests/security/xssAuditor/cached-frame.html:
* http/tests/security/xssAuditor/cookie-injection-expected.txt:
* http/tests/security/xssAuditor/data-urls-work-expected.txt:
* http/tests/security/xssAuditor/data-urls-work.html:
* http/tests/security/xssAuditor/dom-write-innerHTML-expected.txt:
* http/tests/security/xssAuditor/dom-write-innerHTML.html:
* http/tests/security/xssAuditor/form-action-expected.txt:
* http/tests/security/xssAuditor/formaction-on-button-expected.txt:
* http/tests/security/xssAuditor/formaction-on-input-expected.txt:
* http/tests/security/xssAuditor/javascript-link-safe-expected.txt:
* http/tests/security/xssAuditor/javascript-link-safe.html:
* http/tests/security/xssAuditor/property-escape-noquotes-expected.txt:
* http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars-expected.txt:
* http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars.html:
* http/tests/security/xssAuditor/property-escape-noquotes.html:
* http/tests/security/xssAuditor/property-inject-expected.txt:
* http/tests/security/xssAuditor/property-inject.html:
* http/tests/security/xssAuditor/resources/base-href/really-safe-script.js:
* http/tests/security/xssAuditor/resources/base-href/safe-script.js:
* http/tests/security/xssAuditor/resources/echo-intertag.pl:
* http/tests/security/xssAuditor/resources/javascript-link-safe.html:
* http/tests/security/xssAuditor/resources/nph-cached.pl:
* http/tests/security/xssAuditor/resources/safe-script-noquotes.js:
* http/tests/security/xssAuditor/resources/safe-script.js:
* http/tests/security/xssAuditor/resources/script-tag-safe2.html:
* http/tests/security/xssAuditor/script-tag-near-start-expected.txt:
* http/tests/security/xssAuditor/script-tag-near-start.html:
* http/tests/security/xssAuditor/script-tag-safe2-expected.txt:
* http/tests/security/xssAuditor/script-tag-safe2.html:
* http/tests/security/xssAuditor/script-tag-safe3-expected.txt:
* http/tests/security/xssAuditor/script-tag-safe3.html:
* http/tests/security/xssAuditor/script-tag-src-redirect-safe-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-injected-comment-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-injected-comment.html:
* http/tests/security/xssAuditor/script-tag-with-source-same-host-expected.txt:
* platform/wk2/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt:


Canonical link: https://commits.webkit.org/233870@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@272607 268f45cc-cd09-0410-ab3c-d52691b4dbfc
bertogg pushed a commit to Igalia/webkit that referenced this pull request Feb 11, 2021
https://bugs.webkit.org/show_bug.cgi?id=221568

Reviewed by Geoff Garen.

Source/WebCore:

Disallow alert/confirm/prompt in cross-origin-domain subframes as per the latest HTML specification:
- whatwg/html#6297

Tests: http/tests/security/cross-origin-js-prompt-forbidden.html
       http/tests/security/same-origin-different-domain-js-prompt-forbidden.html

* page/DOMWindow.cpp:
(WebCore::DOMWindow::alert):
(WebCore::DOMWindow::confirmForBindings):
(WebCore::DOMWindow::prompt):
* page/SecurityOrigin.cpp:
* page/SecurityOrigin.h:

LayoutTests:

Add layout test coverage and update existing tests to stop using alert() in cross-origin iframes.

* fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame-expected.txt:
* fast/events/popup-blocked-from-unique-frame-via-window-open-named-sibling-frame.html:
* fast/events/popup-when-select-change-expected.txt:
* fast/events/popup-when-select-change.html:
* fast/events/resize-subframe-expected.txt:
* fast/events/resize-subframe.html:
* fast/forms/autofocus-in-sandbox-with-allow-scripts-expected.txt:
* fast/forms/autofocus-in-sandbox-with-allow-scripts.html:
* fast/frames/resources/navigate-top-by-name-to-fail.html:
* fast/frames/sandboxed-iframe-navigation-top-by-name-denied-expected.txt:
* http/tests/cookies/resources/third-party-cookie-relaxing-iframe.html:
* http/tests/cookies/third-party-cookie-relaxing-expected.txt:
* http/tests/history/cross-origin-replace-history-object-child-expected.txt:
* http/tests/history/cross-origin-replace-history-object-expected.txt:
* http/tests/history/resources/cross-origin-replaces-history-object-child-iframe.html:
* http/tests/history/resources/cross-origin-replaces-history-object-iframe.html:
* http/tests/plugins/resources/third-party-cookie-accept-policy-iframe.html:
* http/tests/plugins/third-party-cookie-accept-policy-expected.txt:
* http/tests/security/contentSecurityPolicy/embed-redirect-allowed-expected.txt:
* http/tests/security/contentSecurityPolicy/embed-redirect-allowed2-expected.txt:
* http/tests/security/contentSecurityPolicy/frame-src-cross-origin-load-expected.txt:
* http/tests/security/contentSecurityPolicy/iframe-allowed-when-loaded-via-javascript-url-expected.txt:
* http/tests/security/contentSecurityPolicy/iframe-inside-csp-expected.txt:
* http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src-expected.txt:
* http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-child-src2-expected.txt:
* http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src-expected.txt:
* http/tests/security/contentSecurityPolicy/iframe-redirect-allowed-by-frame-src2-expected.txt:
* http/tests/security/contentSecurityPolicy/object-redirect-allowed-expected.txt:
* http/tests/security/contentSecurityPolicy/object-redirect-allowed2-expected.txt:
* http/tests/security/contentSecurityPolicy/resources/alert-fail.html:
* http/tests/security/contentSecurityPolicy/resources/alert-fail.js:
(catch):
* http/tests/security/contentSecurityPolicy/resources/alert-pass.html:
* http/tests/security/contentSecurityPolicy/resources/alert-pass.js:
(catch):
* http/tests/security/contentSecurityPolicy/resources/sandbox.php:
* http/tests/security/contentSecurityPolicy/resources/sandboxed-eval.php:
* http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-control-expected.txt:
* http/tests/security/contentSecurityPolicy/sandbox-allow-scripts-in-http-header-expected.txt:
* http/tests/security/contentSecurityPolicy/sandbox-report-only-expected.txt:
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt:
* http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/upgrades-mixed-content-expected.txt:
* http/tests/security/cross-origin-js-prompt-forbidden-expected.txt: Added.
* http/tests/security/cross-origin-js-prompt-forbidden.html: Added.
* http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-iframe.html:
* http/tests/security/dataURL/resources/foreign-domain-data-url-accessor-opened-frame.html:
* http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-subframe-expected.txt:
* http/tests/security/dataURL/xss-DENIED-from-data-url-in-foreign-domain-window-open-expected.txt:
* http/tests/security/mixedContent/resources/frame-with-insecure-websocket.html:
* http/tests/security/mixedContent/websocket/insecure-websocket-in-iframe-expected.txt:
* http/tests/security/resources/cross-origin-js-prompt-forbidden.html: Added.
* http/tests/security/same-origin-different-domain-js-prompt-forbidden-expected.txt: Added.
* http/tests/security/same-origin-different-domain-js-prompt-forbidden.html: Added.
* http/tests/security/xssAuditor/base-href-control-char-expected.txt:
* http/tests/security/xssAuditor/base-href-direct-expected.txt:
* http/tests/security/xssAuditor/base-href-expected.txt:
* http/tests/security/xssAuditor/base-href-null-char-expected.txt:
* http/tests/security/xssAuditor/base-href-safe-expected.txt:
* http/tests/security/xssAuditor/base-href-safe2-expected.txt:
* http/tests/security/xssAuditor/base-href-safe3-expected.txt:
* http/tests/security/xssAuditor/base-href-scheme-relative-expected.txt:
* http/tests/security/xssAuditor/cached-frame-expected.txt:
* http/tests/security/xssAuditor/cached-frame.html:
* http/tests/security/xssAuditor/cookie-injection-expected.txt:
* http/tests/security/xssAuditor/data-urls-work-expected.txt:
* http/tests/security/xssAuditor/data-urls-work.html:
* http/tests/security/xssAuditor/dom-write-innerHTML-expected.txt:
* http/tests/security/xssAuditor/dom-write-innerHTML.html:
* http/tests/security/xssAuditor/form-action-expected.txt:
* http/tests/security/xssAuditor/formaction-on-button-expected.txt:
* http/tests/security/xssAuditor/formaction-on-input-expected.txt:
* http/tests/security/xssAuditor/javascript-link-safe-expected.txt:
* http/tests/security/xssAuditor/javascript-link-safe.html:
* http/tests/security/xssAuditor/property-escape-noquotes-expected.txt:
* http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars-expected.txt:
* http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars.html:
* http/tests/security/xssAuditor/property-escape-noquotes.html:
* http/tests/security/xssAuditor/property-inject-expected.txt:
* http/tests/security/xssAuditor/property-inject.html:
* http/tests/security/xssAuditor/resources/base-href/really-safe-script.js:
* http/tests/security/xssAuditor/resources/base-href/safe-script.js:
* http/tests/security/xssAuditor/resources/echo-intertag.pl:
* http/tests/security/xssAuditor/resources/javascript-link-safe.html:
* http/tests/security/xssAuditor/resources/nph-cached.pl:
* http/tests/security/xssAuditor/resources/safe-script-noquotes.js:
* http/tests/security/xssAuditor/resources/safe-script.js:
* http/tests/security/xssAuditor/resources/script-tag-safe2.html:
* http/tests/security/xssAuditor/script-tag-near-start-expected.txt:
* http/tests/security/xssAuditor/script-tag-near-start.html:
* http/tests/security/xssAuditor/script-tag-safe2-expected.txt:
* http/tests/security/xssAuditor/script-tag-safe2.html:
* http/tests/security/xssAuditor/script-tag-safe3-expected.txt:
* http/tests/security/xssAuditor/script-tag-safe3.html:
* http/tests/security/xssAuditor/script-tag-src-redirect-safe-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-injected-comment-expected.txt:
* http/tests/security/xssAuditor/script-tag-with-injected-comment.html:
* http/tests/security/xssAuditor/script-tag-with-source-same-host-expected.txt:
* platform/wk2/http/tests/security/contentSecurityPolicy/upgrade-insecure-requests/proper-nested-upgrades-expected.txt:


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@272607 268f45cc-cd09-0410-ab3c-d52691b4dbfc
imhele added a commit to imhele/html that referenced this pull request Feb 18, 2021
* Editorial: remove redundant "the"

* Meta: default branch rename

Also correct a broken link. Not even w3.org URLs are that cool.

Helps with whatwg/meta#174.

* Editorial: clean up calls to "parse a URL"

It actually takes a string, so calls should be clear about that.

* Review Draft Publication: January 2021

* Simplify <link>s

In particular, remove their activation behavior, stop them from matching
:link and :visited, and stop suggesting that they be focusable areas.

This also includes a slight expansion and rearrangement of the link
element's section to make it clearer what hyperlinks created by <link>
are meant for, contrasting them to <a> and <area> hyperlinks.

Closes whatwg#4831. Closes whatwg#2617. Helps with whatwg#5490.

* Meta: remove demos/offline/* (whatwg#6307)

These are no longer needed as of e4330d5.

* Meta: minor references cleanup

Use more HTTPS and drop obsolete HTML Differences reference.

* Editorial: anticlockwise → counterclockwise

We use en-US these days. Spotted in https://twitter.com/iso2022jp/status/1352601086519955456.

* Use :focus-visible in the UA stylesheet

See w3c/csswg-drafts#4278.

* Editorial: align with WebIDL and Infra

* Fix "update a style block" early return

The new version matches implementation reality and CSSWG resolution.

The algorithm was also inconsistent, as it looked at whether
the element was in a shadow tree or in the document tree, but it was
only specified to be re-run if the element becomes connected or
disconnected.

The CSSWG discussed this in
w3c/csswg-drafts#3096 (comment)
and http://wpt.live/shadow-dom/ShadowRoot-interface.html tests this.

This also matches closer the definition of <link rel="stylesheet">,
which does use connectedness (though it uses "browsing-context
connected", which is a bit different):
https://html.spec.whatwg.org/#link-type-stylesheet

* Modernize and refactor simple dialogs

This contains a small bug fix, in that confirm() and prompt() said
"return" in some cases instead of "return false" or "return null" as
appropriate.

Other notable changes, all editorial, are:

* Factoring out repeated "cannot show simple dialogs" steps, which will
  likely expand over time (see e.g. whatwg#6297).
* Separating out and explaining the no-argument overload of alert().
* Passing the document through to the "printing steps", instead of just
  having them talk about "this Window object".

* Meta: add definition markup for MessageEvent

* Remove <marquee> events

They are only supported by one engine (Gecko).

Closes whatwg#2957.

* Clarify when microtasks happen

* Ignore COEP on non-secure contexts

Fixes whatwg#6328.

* Editorial: update URL Standard integration

* Editorial: only invoke response's location URL once

Complements whatwg/fetch#1149.

* Track the incumbent settings and active script in Promise callbacks

Closes whatwg#5213.

* createImageBitmap(): stop clipping sourceRect to source's dimensions

It has been found in whatwg#6306 that this was an oversight at the time of its introduction. Current behavior goes against author expectations and no implementer has opposed the change to "no-clip".

Tests: web-platform-tests/wpt#27040.

Closes whatwg#6306.

* Remove CSP plugin-types blocking

With Flash not being supported anymore, the CSP directive plugin-types has lost its main reason for being and is being removed from the Content Security Policy specification: w3c/webappsec-csp#456.

This change removes references to the relevant algorithm from the Content Security Policy spec.

* Meta: set more dfn types

A follow-up to:

* whatwg#5694
* whatwg#5916

* Editorial: occuring → occurring

* Make all plugin-related APIs no-ops

Part of whatwg#6003.

* Disallow simple dialogs from different-origin domain iframes

Closes whatwg#5407.

* Revive @@iterator for PluginArray/MimeTypeArray/Plugin

@@iterator is implicitly installed by defining an indexed property getter. Since there is no other way to define it exclusively, this restores some methods back to being indexed getters.

This fixes an inadvertent observable behavior change in d4f07b8.

* Adjust web+ scheme security considerations to account for FTP removal

Also, network scheme is now reduced to HTTP(S) scheme.

Helps with whatwg#5375, but form submission issue remains.

See whatwg/fetch#1166 for context.

* Meta: export pause

Nobody but XMLHttpRequest take a dependency on this please. You have been warned.

Context: whatwg/xhr#311.

* Fix typo: ancestor → accessor

Fixes whatwg#6374.

Co-authored-by: Dominic Farolino <domfarolino@gmail.com>
Co-authored-by: Anne van Kesteren <annevk@annevk.nl>
Co-authored-by: Domenic Denicola <d@domenic.me>
Co-authored-by: Emilio Cobos Álvarez <emilio@crisal.io>
Co-authored-by: Momdo Nakamura <xmomdo@gmail.com>
Co-authored-by: Jake Archibald <jaffathecake@gmail.com>
Co-authored-by: Yutaka Hirano <yhirano@chromium.org>
Co-authored-by: Shu-yu Guo <syg@chromium.org>
Co-authored-by: Kaiido <tristan.fraipont@gmail.com>
Co-authored-by: Antonio Sartori <anton.sartori@gmail.com>
Co-authored-by: Michael[tm] Smith <mike@w3.org>
Co-authored-by: Ikko Ashimine <eltociear@gmail.com>
Co-authored-by: Carlos IL <carlosjoan91@gmail.com>
Co-authored-by: Kagami Sascha Rosylight <saschanaz@outlook.com>
Co-authored-by: Simon Pieters <zcorpan@gmail.com>
@cdumez
Copy link

cdumez commented Sep 1, 2021

FYI, we are reverting this behavior change from WebKit because it broke Salesforce.
I think Blink had to revert this too but I am not 100% sure, can someone confirm?

If so, we may want to revert the specification change too.

@domenic
Copy link
Member

domenic commented Sep 1, 2021

Yes, we had to revert in Blink temporarily, but are planning to roll it back out in January.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs tests Moving the issue forward requires someone to write tests
Development

Successfully merging this pull request may close these issues.

5 participants