Create a new reserved environment for cross-origin redirects

mfalken · annevk · commit 45ddbd291d1c · 2018-10-08T09:35:13.000+02:00
Previously, a navigation would create a reserved environment once and use it for all redirects. This commit changes that so a new environment is created on a cross-origin redirect. We now also run CSP for each redirect. See also w3c/ServiceWorker#1316.
diff --git a/source b/source
@@ -2835,6 +2835,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
        <li><dfn data-x="concept-request-header-list" data-x-href="https://fetch.spec.whatwg.org/#concept-request-header-list">header list</dfn></li>
        <li><dfn data-x="concept-request-body" data-x-href="https://fetch.spec.whatwg.org/#concept-request-body">body</dfn></li>
        <li><dfn data-x="concept-request-client" data-x-href="https://fetch.spec.whatwg.org/#concept-request-client">client</dfn></li>
+       <li><dfn data-x="concept-request-current-url" data-x-href="https://fetch.spec.whatwg.org/#concept-request-current-url">current URL</dfn></li>
        <li><dfn data-x="concept-request-reserved-client" data-x-href="https://fetch.spec.whatwg.org/#concept-request-reserved-client">reserved client</dfn></li>
        <li><dfn data-x="concept-request-replaces-client-id" data-x-href="https://fetch.spec.whatwg.org/#concept-request-replaces-client-id">replaces client id</dfn></li>
        <li><dfn data-x="concept-request-initiator" data-x-href="https://fetch.spec.whatwg.org/#concept-request-initiator">initiator</dfn></li>
@@ -82092,54 +82093,90 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
    data-x="concept-request-origin">origin</span> to that <span>browsing context scope
    origin</span>.</p></li>
 
+   <li><p>Let <var>done</var> be false and <var>reservedEnvironment</var> be null.</p></li>
+
    <li>
-    <p>Create a new <span>environment</span> <var>reservedEnvironment</var>, and set its <span
-    data-x="concept-environment-id">id</span> to a new unique opaque string, its <span
-    data-x="concept-environment-creation-url">creation URL</span> to <var>request</var>'s
-    <span>url</span>, and its <span data-x="concept-environment-target-browsing-context">target
-    browsing context</span> to <var>browsingContext</var>.</p>
+    <p>While <var>done</var> is false:</p>
 
-    <p class="note">The created environment's <span
-    data-x="concept-environment-active-service-worker">active service worker</span> is set in the
-    <span data-x="on-fetch-request-algorithm">handle fetch</span> algorithm during the fetch if its
-    <span data-x="concept-environment-creation-url">creation URL</span> matches a service worker
-    registration. <ref spec="SW"></p>
-   </li>
+    <ol>
+     <li><p>Let <var>currentURL</var> be <var>response</var>'s <span
+     data-x="concept-response-location-url">location URL</span>, if <var>response</var> is not null,
+     and <var>request</var>'s <span data-x="concept-request-current-url">current URL</span>
+     otherwise.</p></li>
 
-   <li><p>Set <var>request</var>'s <span data-x="concept-request-reserved-client">reserved
-   client</span> to <var>reservedEnvironment</var>.</p></li>
+     <li>
+      <p>If <var>reservedEnvironment</var> is not null and <var>currentURL</var>'s
+      <span data-x="concept-url-origin">origin</span> is not the <span
+      data-x="same origin">same</span> as <var>reservedEnvironment</var>'s <span
+      data-x="concept-environment-creation-url">creation URL</span>'s <span
+      data-x="concept-url-origin">origin</span>, then:</p>
 
-   <li>
-    <p>If the <span>Should navigation request of type from source in target be blocked by Content
-    Security Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when executed upon
-    <var>request</var>, <var>navigationType</var>, <var>sourceBrowsingContext</var>, and
-    <var>browsingContext</var>, then set <var>response</var> to a network error.
-    <ref spec="CSP"></p>
+      <ol>
+       <li><p>Run the <span>environment discarding steps</span> for
+       <var>reservedEnvironment</var>.</p></li>
 
-    <p>Otherwise:</p>
+       <li><p>Set <var>reservedEnvironment</var> to null.</p></li>
+      </ol>
+     </li>
 
-    <ol>
-     <!--FETCH--><li><p><span data-x="concept-fetch">Fetch</span> <var>request</var>.</p></li>
+     <li><p>If <var>reservedEnvironment</var> is null, then set <var>reservedEnvironment</var> to a
+     new <span>environment</span> whose <span data-x="concept-environment-id">id</span> is a
+     unique opaque string and <span
+     data-x="concept-environment-target-browsing-context">target browsing context</span> is
+     <var>browsingContext</var>.</p></li>
 
-     <li><p>Wait for the <span data-x="concept-task">task</span> on the <span>networking task
-     source</span> to <span>process response</span> and set <var>response</var> to the
-     result.</p></li>
-    </ol>
-   </li>
+     <li>
+      <p>Set <var>reservedEnvironment</var>'s <span
+      data-x="concept-environment-creation-url">creation URL</span> to <var>currentURL</var>.</p>
 
+      <p class="note">The created environment's <span
+      data-x="concept-environment-active-service-worker">active service worker</span> is set in the
+      <span data-x="on-fetch-request-algorithm">Handle Fetch</span> algorithm during the fetch if
+      the request URL matches a service worker registration. <ref spec="SW"></p>
+     </li>
 
-   <li id="navigate-redirect-step">
-    <p>If <var>response</var> has a <span data-x="concept-response-location-url">location URL</span>
-    and it is either failure or a <span>URL</span> whose <span
-    data-x="concept-url-scheme">scheme</span> is an <span>HTTP(S) scheme</span>, then set
-    <var>response</var> to the result of performing <span>HTTP-redirect fetch</span> using
-    <var>request</var> and <var>response</var> and then run this step again.</p>
+     <li><p>Set <var>request</var>'s <span data-x="concept-request-reserved-client">reserved
+     client</span> to <var>reservedEnvironment</var>.</p></li>
 
-    <p class="note">Navigation handles redirects manually as navigation is the only place in the web
-    platform that cares for redirects to <code data-x="mailto protocol">mailto:</code> URLs and
-    such.</p>
+     <li><p>If the <span>Should navigation request of type from source in target be blocked by
+     Content Security Policy?</span> algorithm returns "<code data-x="">Blocked</code>" when
+     executed upon <var>request</var>, <var>navigationType</var>, <var>sourceBrowsingContext</var>,
+     and <var>browsingContext</var>, then set <var>response</var> to a <span>network error</span>
+     and set <var>done</var> to true. <ref spec="CSP"></p></li>
+
+     <li>
+      <p>Otherwise:</p>
+
+      <ol>
+       <li><p>If <var>response</var> is null, <!--FETCH--><span
+       data-x="concept-fetch">fetch</span> <var>request</var>.</p></li>
+
+       <li><p>Otherwise, perform <span>HTTP-redirect fetch</span> using
+       <var>request</var> and <var>response</var>.</p></li>
+
+       <li><p>Wait for the <span data-x="concept-task">task</span> on the <span>networking task
+       source</span> to <span>process response</span> and set <var>response</var> to the
+       result.</p></li>
+
+       <li>
+        <p>If <var>response</var> does not have a <span
+        data-x="concept-response-location-url">location URL</span> or the <span
+        data-x="concept-response-location-url">location URL</span> is not a <span>URL</span> whose
+        <span data-x="concept-url-scheme">scheme</span> is an <span>HTTP(S) scheme</span>,
+        then set <var>done</var> to true.</p>
+
+        <p class="note">Navigation handles redirects manually as navigation is the only place in
+        the web platform that cares for redirects to <code data-x="mailto protocol">mailto:</code>
+        URLs and such.</p>
+       </li>
+      </ol>
+     </li>
+    </ol>
    </li>
 
+   <li><p>If <var>response</var>'s <span data-x="concept-response-location-url">location URL</span>
+   is failure, then set <var>response</var> to a <span>network error</span>.</p></li>
+
    <li><p>Otherwise, if <var>response</var> has a <span
    data-x="concept-response-location-url">location URL</span> that is a <span>URL</span> whose <span
    data-x="concept-url-scheme">scheme</span> is "<code data-x="">blob</code>", "<code
