Prevent navigations to non-HTTP(S) URLs

Closes #145. Closes #248. Part of #185.
WICG · Sep 21, 2020 · 703914f · 703914f
1 parent 777e565
commit 703914f
Showing 1 changed file with 67 additions and 12 deletions.
diff --git a/index.bs b/index.bs
@@ -28,6 +28,8 @@ spec: html; urlPrefix: https://html.spec.whatwg.org/multipage/
             text: create a new top-level browsing context; url: creating-a-new-top-level-browsing-context
         urlPrefix: browsing-the-web.html
             text: prompt to unload; url: prompt-to-unload-a-document
+            text: reserved environment; for: navigation params; url: navigation-params-reserved-environment
+            text: request; for: navigation params; url: navigation-params-request
         urlPrefix: common-dom-interfaces.html
             text: limited to only known values; url: limited-to-only-known-values
             text: reflect; url: reflect
@@ -518,9 +520,6 @@ spec: ecma-262; urlPrefix: http://tc39.github.io/ecma262/
 
         Otherwise, let |url| be the [=resulting URL record=].
 
-    1. If the [=url/scheme=] of |url| is not an [=HTTP(S) scheme=], then [=close a portal element|close=]
-        |element| and return.
-
     1. If |element|'s [=HTMLPortalElement/guest browsing context=] is null, then run the following steps:
 
         1. Let |newBrowsingContext| be the result of
@@ -540,19 +539,19 @@ spec: ecma-262; urlPrefix: http://tc39.github.io/ecma262/
     1. [=Navigate=] |guestBrowsingContext| to |resource|.
 
     <div class="note">
-      Unlike an <{iframe}> element, a <{portal}> element supports a state where
-      it has no associated browsing context. This is the initial state of a
-      <{portal}> element (i.e., it has no initial `about:blank` document;
-      instead it navigates directly to the first parsable URL assigned to it).
-
-      Similarly, a <{portal}> element responds to an unparsable <{portal/src}>
-      URL by [=close a browsing context|closing=] its browsing context, rather
-      than by navigating to `about:blank`.
+      Unlike an <{iframe}> element, a <{portal}> element supports a state where it has no associated
+      browsing context. This is the initial state of a <{portal}> element. That is, the [=portal
+      browsing context=] has no web-developer-visible initial `about:blank` {{Document}}; instead it
+      [=navigates=] directly to the first parsable URL assigned to it, and if the navigation cannot
+      finish successfully, it [=close a browsing context|closes=] the browsing context before the
+      navigation algorithm finishes.
+
+      Similarly, a <{portal}> element responds to an unparsable <{portal/src}> URL by [=close a
+      browsing context|closing=] its browsing context, rather than by navigating to `about:blank`.
     </div>
   </section>
 
   <wpt>
-    portal-non-http-navigation.html
     portals-cross-origin-load.sub.html
     portals-referrer.html
     portals-referrer-inherit-header.html
@@ -971,6 +970,62 @@ spec: ecma-262; urlPrefix: http://tc39.github.io/ecma262/
     portals-close-window.html
   </wpt>
 
+  Navigation {#patch-navigation}
+  ------------------------------
+
+  Patch the <a spec=HTML>navigate</a> algorithm to prevent certain navigations in a
+  portal as follows:
+
+  <div algorithm="process a navigate response patch">
+    In <a spec=HTML>process a navigate response</a>, append the following after the step which
+    establishes the value of |failure|, but before the step which uses it to display an error page:
+
+    1. If |browsingContext|'s [=portal state=] is not "`none`", and any of the following hold:
+
+          * |failure| is true;
+          * |navigationParams|'s [=navigation params/request=] is null;
+          * |navigationParams|'s [=navigation params/request=]'s [=request/current URL=]'s
+            [=url/scheme=] is not a [=HTTP(S) scheme=];
+          * |response| has a \``Content-Disposition`\` header specifying the `attachment`
+              disposition type; or
+          * |response|'s [=response/status=] is 204 or 205,
+
+        then:
+
+        1. If |browsingContext|'s only entry in its [=session history=] is the initial `about:blank`
+            {{Document}}, then:
+            1. [=Close a portal element|Close=] |browsingContext|'s [=host element=].
+            1. Run the [=environment discarding steps=] for <var ignore>navigationParam</var>'s
+                [=navigation params/reserved environment=].
+        1. Return.
+  </div>
+
+  <div algorithm="process a navigate URL scheme patch">
+    In <a spec=HTML>process a navigate URL scheme</a>, insert the following step before the step
+    which displays inline content:
+
+    1. Otherwise, if |browsingContext|'s [=portal state=] is not "`none`", then [=close a portal
+        element|close=] |browsingContext|'s [=host element=].
+  </div>
+
+  <wpt>
+    portal-non-http-navigation.html
+  </wpt>
+
+  Downloading resources {#patch-downloading}
+  ------------------------------------------
+
+  Modify the <a spec=HTML>allowed to download</a> algorithm to ensure that portaled content never
+  performs downloads, by prepending the following steps:
+
+  <div algorithm="allowed to download patch">
+    1. If <var ignore>initiator browsing context</var>'s [=portal state=] is not "`none`", then
+        return false.
+
+    1. If <var ignore>instantiator browsing context</var>'s [=portal state=] is not "`none`", then
+        return false.
+  </div>
+
 </section>
 
 <section>