From cd1da219bda47d8ecaaa66035c24e8f7660dd7ae Mon Sep 17 00:00:00 2001 From: Domenic Denicola Date: Fri, 9 May 2025 15:12:18 +0900 Subject: [PATCH 1/4] Replace request's "window" with "traversable for user prompts" After much discussion in #1820 and #1821, this seems to be more correct. Closes #1820. Closes #1821. Helps https://github.com/whatwg/html/pull/11250 specify browser-initiated navigations better. --- fetch.bs | 131 +++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 88 insertions(+), 43 deletions(-) diff --git a/fetch.bs b/fetch.bs index adee889ba..a997ada7b 100644 --- a/fetch.bs +++ b/fetch.bs @@ -1666,17 +1666,38 @@ of the target browsing context's active document environment settings object.

A request has an associated -window -("no-window", "client", or an -environment settings object whose -global object is a -{{Window}} object). Unless stated otherwise it is -"client". +traversable for user prompts, that is +"no-traversable", "client", or a traversable navigable. +Unless stated otherwise it is "client". + +

+

This is used to determine whether and where to show necessary UI for the request, such as + authentication prompts or client certificate dialogs. + +

+
"no-traversable" +
No UI is shown; usually the request fails with a network error. + +
"client" +
This value will automatically be changed to either "no-traversable" or to a + traversable navigable derived from the request's client during + fetching. This provides a convenient way for standards to not have to + explicitly set a request's traversable for user prompts. + +
a traversable navigable +
The UI shown will be associated with the browser interface elements that are displaying that + traversable navigable. +
+
-

The "client" value is changed to "no-window" or -request's client during fetching. It provides -a convenient way for standards to not have to explicitly set request's -window. +

When displaying a user interface associated with a request in that request's +traversable for user prompts, the user agent should update the address bar to +display something derived from the request's current URL (and not, e.g., leave +it at its previous value, derived from the URL of the request's initiator). Additionally, the user +agent should avoid displaying content from the request's initiator in the +traversable for user prompts, especially in the case of cross-origin requests. +Displaying a blank page behind such prompts is a good way to fulfill these requirements. Failing to +follow these guidelines can confuse users as to which origin is responsible for the prompt.

A request has an associated boolean keepalive. Unless stated otherwise it is @@ -4334,7 +4355,8 @@ the response. [[!HTTP-CACHING]]

  • request's mode is "same-origin", "cors", or "no-cors" -

  • request's window is an environment settings object +

  • request's client's + global object is a {{Window}} object

  • request's method is `GET` @@ -4354,7 +4376,7 @@ the response. [[!HTTP-CACHING]] preloaded response candidate to response.

  • Let foundPreloadedResource be the result of invoking - consume a preloaded resource for request's window, given + consume a preloaded resource for request's client, given request's URL, request's destination, request's mode, request's credentials mode, request's integrity metadata, @@ -4439,15 +4461,36 @@ the response. [[!HTTP-CACHING]]

    To populate request from client given a request request:

      -

    1. If request's window is "client", then: set - request's window to request's client - if request's client's - global object is a {{Window}} object; otherwise - "no-window". - -

    2. If request's origin is "client", then set - request's origin to request's client's - origin. +

    3. +

      If request's traversable for user prompts is "client": + +

        +

      1. Set request's traversable for user prompts to + "no-traversable". + +

      2. +

        If request's client is non-null, then: + +

          +

        1. Let global be request's client's + global object. + +

        2. If global is a {{Window}} object, and global's + navigable is not null, then set request's + traversable for user prompts to global's navigable's + traversable navigable. +

        +
      + +
    4. +

      If request's origin is "client": + +

        +

      1. Assert: request's client is non-null. + +

      2. Set request's origin to request's + client's origin. +

    5. If request's policy container is "client": @@ -5517,10 +5560,13 @@ run these steps: canceled:

        -

      1. If request's window is "no-window" and - request's redirect mode is "error", then set - httpFetchParams to fetchParams and httpRequest to - request. +

      2. +

        If request's traversable for user prompts is "no-traversable" and + request's redirect mode is "error", then set + httpFetchParams to fetchParams and httpRequest to + request. + +

        If user prompts are possible, then we need to clone request because ???

      3. Otherwise: @@ -5919,8 +5965,8 @@ run these steps:

      4. If response's status is 401, httpRequest's response tainting is not "cors", includeCredentials is - true, and request's window is an environment settings object, - then: + true, and request's traversable for user prompts is a + traversable navigable:

        1. Needs testing: multiple `WWW-Authenticate` headers, missing, @@ -5948,7 +5994,7 @@ run these steps:

        2. Let username and password be the result of prompting the end user for a username and password, respectively, in request's - window. + traversable for user prompts.

        3. Set the username given request's current URL and username. @@ -5965,8 +6011,8 @@ run these steps:

          If response's status is 407, then:

            -

          1. If request's window is - "no-window", then return a network error. +

          2. If request's traversable for user prompts is + "no-traversable", then return a network error.

          3. Needs testing: multiple `Proxy-Authenticate` headers, missing, parsing issues. @@ -5976,7 +6022,7 @@ run these steps:

          4. Prompt the end user as appropriate in request's - window and store the result as a + traversable for user prompts and store the result as a proxy-authentication entry. [[!HTTP]]

            Remaining details surrounding proxy authentication are defined by HTTP. @@ -6156,10 +6202,9 @@ optional boolean forceNewConnection (default false), run these steps:

            If the HTTP request results in a TLS client certificate dialog, then:

              -

            1. If request's window - is an environment settings object, make the dialog - available in request's - window. +

            2. If request's traversable for user prompts is a + traversable navigable, then make the dialog available in request's + traversable for user prompts.

            3. Otherwise, return a network error.

            @@ -7741,19 +7786,19 @@ constructor steps are:

          5. Let origin be this's relevant settings object's origin. -

          6. Let window be "client". +

          7. Let traversableForUserPrompts be "client". -

          8. If request's window is - an environment settings object and its +

          9. If request's traversable for user prompts + is an environment settings object and its origin is same origin with - origin, then set window to request's - window. + origin, then set traversableForUserPrompts to + request's traversable for user prompts.

          10. If init["{{RequestInit/window}}"] exists and is non-null, then throw a {{TypeError}}.

          11. If init["{{RequestInit/window}}"] exists, then set - window to "no-window". + traversableForUserPrompts to "no-traversable".

          12. Set request to a new request with the following properties: @@ -7774,8 +7819,8 @@ constructor steps are:

            client
            This's relevant settings object. -
            window -
            window. +
            traversable for user prompts +
            traversableForUserPrompts.
            internal priority
            request's internal priority. From 25bf260a0def628cd9b7ce1207e286a88933971a Mon Sep 17 00:00:00 2001 From: Domenic Denicola Date: Tue, 13 May 2025 13:59:17 +0900 Subject: [PATCH 2/4] Respond to most review comments --- fetch.bs | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/fetch.bs b/fetch.bs index a997ada7b..717c9e8e4 100644 --- a/fetch.bs +++ b/fetch.bs @@ -4469,16 +4469,16 @@ the response. [[!HTTP-CACHING]] "no-traversable".
          13. -

            If request's client is non-null, then: +

            If request's client is non-null:

            1. Let global be request's client's global object. -

            2. If global is a {{Window}} object, and global's +

            3. If global is a {{Window}} object and global's navigable is not null, then set request's - traversable for user prompts to global's navigable's - traversable navigable. + traversable for user prompts to global's + navigable's traversable navigable.

          @@ -5561,12 +5561,13 @@ run these steps:
          1. -

            If request's traversable for user prompts is "no-traversable" and - request's redirect mode is "error", then set - httpFetchParams to fetchParams and httpRequest to - request. +

            If request's traversable for user prompts is + "no-traversable" and request's redirect mode is + "error", then set httpFetchParams to fetchParams and + httpRequest to request. -

            If user prompts are possible, then we need to clone request because ??? +

            If user prompts are possible, then we need to clone request because + the user agent might need to re-send request.

          2. Otherwise: From 39c201204caa57741cd60cae710720266bae5dc5 Mon Sep 17 00:00:00 2001 From: Domenic Denicola Date: Tue, 13 May 2025 17:38:00 +0900 Subject: [PATCH 3/4] Expand the clone note --- fetch.bs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/fetch.bs b/fetch.bs index 717c9e8e4..d157680bd 100644 --- a/fetch.bs +++ b/fetch.bs @@ -5566,9 +5566,6 @@ run these steps: "error", then set httpFetchParams to fetchParams and httpRequest to request. -

            If user prompts are possible, then we need to clone request because - the user agent might need to re-send request. -

          3. Otherwise: @@ -5588,6 +5585,12 @@ run these steps: httpRequest.

          +

          If user prompts or redirects are possible, then the user agent might need to + re-send the request with a new set of headers after the user answers the prompt or the redirect + location is determined. At that time, the original request body might have been partially sent + already, so we need to clone the request (including the body) beforehand so that we have a + spare copy available. +

        4. Let includeCredentials be true if one of From e485e3e842a5aca8d07f407c26aa48f9d1ca9a5a Mon Sep 17 00:00:00 2001 From: Domenic Denicola Date: Tue, 13 May 2025 18:25:08 +0900 Subject: [PATCH 4/4] Add null check --- fetch.bs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/fetch.bs b/fetch.bs index d157680bd..365ab9910 100644 --- a/fetch.bs +++ b/fetch.bs @@ -4355,8 +4355,9 @@ the response. [[!HTTP-CACHING]]

        5. request's mode is "same-origin", "cors", or "no-cors" -

        6. request's client's - global object is a {{Window}} object +

        7. request's client is not null, and request's + client's global object is a + {{Window}} object

        8. request's method is `GET`