-
Notifications
You must be signed in to change notification settings - Fork 133
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Integrate feature policy #177
Conversation
This adds a policy-controlled feature, named 'sync-xhr', which can be disabled in a document to turn off synchronous requests for that document (and documents in all descendant frames). Calling send() on a synchronous request in a document where sync-xhr is disabled will result in a NetworkError being thrown.
As written, this depends on whatwg/html#3287 so that 'allowed to use' can reference a policy-controlled feature, and not just an attribute name. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good
xhr.bs
Outdated
|
||
<p>The feature name for <a>Synchronous XMLHttpRequest</a> is "sync-xhr". | ||
|
||
<p>The default allowlist for Synchronous XMLHttpRequest is <code>*</code>. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
<a>
is omitted for "Synchronous XMLHttpRequest" intentionally? just checking.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nope, missed the markup there. Thanks.
xhr.bs
Outdated
<a>responsible document</a> and it is <em>not</em> | ||
<a>allowed to use</a> the <a>Synchronous XMLHttpRequest</a> | ||
feature, then run <a>handle response end-of-body</a> for a <a>network | ||
error</a> and return. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems nicer to throw during open()
, no?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would be surprising to developers, I think -- there aren't currently any cases of a NetworkError being thrown during open()
, since the fetch algorithm isn't called until send(). Since this policy can be imposed on pages which were written before this proposal, it seems that using an existing failure pattern is less likely to result in unforseen behaviour on the page.
I had originally proposed throwing an InvalidAccessError
during open()
, to align with the note at https://xhr.spec.whatwg.org/#sync-warning, but the rough consensus at TPAC (I wasn't actually present, this is second-hand) was around emulating a network-layer-error instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well yeah, I wouldn't want to throw a NetworkError
there. I wonder what rationale was given in that discussion. Who would we ask?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note that InvalidAccessError
would also be consistent with step 10 of open()
today.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll ask on #178, and see if we can find out who was there, and if this accurately reflects the consensus.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://chromium.googlesource.com/chromium/src/+/40126a62123c1e8704b2f92a6ef54eb3e6ce52db/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp#695 now throws InvalidAccessError in open()
, which I think makes sense, has this been resolved but the comment thread just left open?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://chromium-review.googlesource.com/c/chromium/src/+/804057 changes it from InvalidAccessError
to NetworkError
, and causes it to occur on send(), like other network conditions would.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, thanks!
xhr.bs
Outdated
<h3 id=feature-policy>Feature Policy Integration</h3> | ||
|
||
<p>This specification defines a policy-controlled feature named <dfn>Synchronous | ||
XMLHttpRequest</dfn>. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are all features supposed to follow this naming convention?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wanted to decouple the name of the feature from the character string used to denote it in policies
The spec just says that there are policy-controlled features, and they have a feature name, which is defined in the ABNF as 1*( ALPHA / DIGIT / "-")
xhr.bs
Outdated
<p>This specification defines a policy-controlled feature named <dfn>Synchronous | ||
XMLHttpRequest</dfn>. | ||
|
||
<p>The feature name for <a>Synchronous XMLHttpRequest</a> is "sync-xhr". |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
xref "feature name"
And make it "<code>sync-xhr</code>"
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done. (I've added explicit anchors for the unexported dfns until I fix up the FP spec to export those terms properly)
xhr.bs
Outdated
|
||
<p>The feature name for <a>Synchronous XMLHttpRequest</a> is "sync-xhr". | ||
|
||
<p>The default allowlist for Synchronous XMLHttpRequest is <code>*</code>. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
xref "default allowlist" (elsewhere we use safelist for things like this, is this different enough to use a new name?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I hadn't noticed 'safelist' being used in this context, and I'm not sure if 'safety' is the concept we're trying to convey in any case.
Originally the feature policy spec used 'whitelist', and early reviews suggested we switch to 'allowlist' to match some other specs (I don't recall which; perhaps Web Authentication?)
I'm sure this is open to change, but that should probably happen on the FP issues list :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
WebAuthn doesn't seem to use it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
w3c/webauthn#327 -- apparently not anymore (I still don't remember if this was the spec that was brought up, could be a complete coincidence)
xhr.bs
Outdated
|
||
<p>When disabled in a document, calling send() on an XMLHttpRequest object with | ||
the synchronous flag set MUST cause a DOMException named | ||
<code>NetworkError</code> to be thrown. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please remove this. We don't want duplicate requirements.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
* Fix references and markup * Remove duplicated requirement text
In particular I was wondering if a feature is always named "Uppercase Feature" or "Uppercase feature" rather than just "uppercase feature" which would be "synchronous XMLHttpRequest" here. Introducing that as a "feature named X" and then saying X has a feature name is somewhat confusing by the way. Maybe it makes more sense to call one the feature name and the other the identifier. |
There isn't a standard for naming features -- I've generally used whatever seems to sound right in prose -- and this is really the first time that the name of a feature and it's "feature name" string have diverged, since neither seems appropriate in the other's place. (And I agree that it is confusing to call the character string that goes into policies the "feature name". I've opened w3c/webappsec-permissions-policy#125 to address that. I'll submit PRs to all of the specs that have included that text once we have settled on a better term to use) |
FWIW I would probably just remove the feature name concept entirely and only use the web-developer-facing string ("feature identifier") throughout all specs. Having two 1:1 things, one of which is never exposed to either browser developers or web developers, seems confusing. |
Agreed, and fixed with the latest commit. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Couple nits left, mostly looking good now. Thanks.
xhr.bs
Outdated
@@ -29,6 +29,9 @@ spec:dom; type:interface; text:Document | |||
<pre class=anchors> | |||
urlPrefix: https://w3c.github.io/DOM-Parsing/; spec: dom-parsing | |||
type: dfn; text: fragment serializing algorithm; url: dfn-fragment-serializing-algorithm | |||
urlPrefix: https://wicg.github.io/feature-policy/; spec: FEATURE-POLICY | |||
type: dfn; text: policy-controlled feature; url: policy-controlled-feature | |||
type: dfn; text: default allowlist; url: default-allowlist |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These should be properly exported by Feature Policy directly. This anchors block is only there for legacy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They've been exported for a while -- or at least I thought they were :( Filed speced/bikeshed#1173 to get that indexed for use in bikeshed.
xhr.bs
Outdated
<li> | ||
<p>If <a>context object</a>'s <a>relevant settings object</a> has a | ||
<a>responsible document</a> and it is <em>not</em> <a>allowed to use</a> the | ||
<code><a>sync-xhr</a></code> feature, then run <a>handle response |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If this is meant to be a string I think it should be "<code><a>sync-xhr</a></code>"
here and below. That's how you write down strings per Infra.
Also, no wrapping inside phrasing elements.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, also, since the <p>
is the only child you need to do <li><p>...
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All fixed
xhr.bs
Outdated
|
||
<p>This specification defines a <a>policy-controlled feature</a> identified by | ||
the string <code><dfn>sync-xhr</dfn></code>. Its <a>default allowlist</a> is | ||
<code>*</code>. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
More can be on one line here. Please use 100 columns for new/modified text.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done.
xhr.bs
Outdated
<p>This specification defines a <a>policy-controlled feature</a> identified by | ||
the string <code><dfn>sync-xhr</dfn></code>. Its <a>default allowlist</a> is | ||
<code>*</code>. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You want an extra newline here for consistency.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
And done.
xhr.bs
Outdated
@@ -1021,6 +1025,12 @@ method must run these steps: | |||
<p>Otherwise, if the <a>synchronous flag</a> is set, run these substeps: | |||
|
|||
<ol> | |||
<li> | |||
<p>If <a>context object</a>'s <a>relevant settings object</a> has a | |||
<a>responsible document</a> and it is <em>not</em> <a>allowed to use</a> the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be "and that"/"which is"? To me it seems that "it" refers to a settings object here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed -- that was ambiguous, thanks.
* Clarify which object is tested for "allowed to use" * Denote strings correctly * Formatting
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work!
What remains is:
- web-platform-tests
- Implementation bugs
if I'm not missing anything.
You also might want to associate [email protected] with your GitHub account and add your name to the Acknowledgments section of the standard. |
@annevk, there are web-platform-tests for this already committed; you can see the results at https://wpt.fyi/xhr/xmlhttprequest-sync-default-feature-policy.sub.html (It fails in Chrome 63, but should pass in 65) Are there additional tests you'd like to see? I'll see about filing bugs in other places where I can do that. |
That's good enough I think. Other interesting tests might be header-based / same-origin restrictions. |
I noticed one more nit. We use sentence casing for headers. I'm not entirely sure if that means "Feature Policy integration" or "Feature policy integration" though. I'm guessing the former makes the most sense. |
Doesn't this depend on whatwg/html#3287 which is still not merged? :-/ |
@domenic see the commit message. |
Preview | Diff