Anonymous iframe

ArthurSonzogni · ArthurSonzogni · commit 149b30f42134 · 2022-03-10T13:23:34.000+01:00
Explainer: https://github.com/camillelamy/explainers/blob/main/anonymous_iframes.md Chrome status: https://chromestatus.com/feature/5729461725036544 Summary: - Define the anonymous flag for iframe and Window. - Inheritance is defined similarly to sandbox. However it do not propage toward popups. - Popup opened from anonymous Window use 'noopener'. - Navigation in anonymous iframe are allowed, even if the embedder has COEP:require-corp|credentialless and the response do not. - Define the `page anonymous nonce`, it is used for anonymous Window as an additional keys in: - network-partition-keys, - storage-partition-keys, - cookie-partition-keys This ensures the document is loaded within a new and ephemeral context. This prevents a cross-origin-isolated parent from stealing important data from its child, via a Spectre Attack. - Password autofill must be disabled inside anonymous Window. XXX: implement the corresponding parts on top of: - Fetch => network-partition-keys - StoragePartitioning => storage-partition-keys - CookieHavingIndependantState => cookie-partition-key - Worker.
diff --git a/source b/source
@@ -2494,6 +2494,7 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
      <li><dfn data-x="body safely extract" data-x-href="https://fetch.spec.whatwg.org/#bodyinit-safely-extract">safely extracting a body</dfn></li>
      <li><dfn data-x-href="https://fetch.spec.whatwg.org/#process-response-end-of-body">processResponseConsumeBody</dfn></li>
      <li><dfn data-x-href="https://fetch.spec.whatwg.org/#fetch-processresponseendofbody">processResponseEndOfBody</dfn></li>
+     <li><dfn data-x-href="https://fetch.spec.whatwg.org/#network-partition-keys">network-partition-keys</dfn></li>
      <li>
       <dfn data-x="concept-response"
       data-x-href="https://fetch.spec.whatwg.org/#concept-response">response</dfn> and its
@@ -30831,6 +30832,7 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></code></pre>
    <dd><code data-x="attr-dim-height">height</code></dd>
    <dd><code data-x="attr-iframe-referrerpolicy">referrerpolicy</code></dd>
    <dd><code data-x="attr-iframe-loading">loading</code></dd>
+   <dd><code data-x="attr-iframe-anonymous">anonymous</code></dd>
    <dt><span
    data-x="concept-element-accessibility-considerations">Accessibility considerations</span>:</dt>
    <dd><a href="https://w3c.github.io/html-aria/#el-iframe">For authors</a>.</dd>
@@ -31541,6 +31543,12 @@ interface <dfn interface>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
    <li><p>Invoke <var>resumptionSteps</var>.</p></li>
   </ol>
 
+  <hr> <!-- ANONYMOUS ATTRIBUTE -->
+
+  <p>The <dfn element-attr for="iframe"><code data-x="attr-iframe-anonymous">anonymous</code></dfn>
+  attribute, enables loading documents hosted by the <code>iframe</code> with a new and ephemeral
+  storage partition. It is a boolean value. The default is false.</p>
+
   <hr> <!-- FALLBACK -->
 
   <p>Descendants of <code>iframe</code> elements represent nothing. (In legacy user agents that do
@@ -80302,6 +80310,10 @@ popup4.close();</code></pre></div>
    <li><p>Let <var>sandboxFlags</var> be the result of <span>determining the creation sandboxing
    flags</span> given <var>browsingContext</var> and <var>embedder</var>.</p></li>
 
+   <li><p>Let <var>anonymous</var> be the result of determining the <span
+   data-x="initial-window-anonymous">initial window anonymous</span> flag, given
+   <var>browsingContext</var>.</p></li>
+
    <!--
     This step does not need to use |embedder|, because determining the origin only consults the
     container when the url argument is about:srcdoc. However, here we always pass about:blank.
@@ -80326,7 +80338,8 @@ popup4.close();</code></pre></div>
     realm</span> given <var>agent</var> and the following customizations:</p>
 
     <ul>
-     <li><p>For the global object, create a new <code>Window</code> object.</p></li>
+     <li><p>For the global object, create a new <code>Window</code> object, with <code
+     data-x="attr-iframe-anonymous">anonymous</code> set to <var>anonymous</var>.</p></li>
 
      <li><p>For the global <b>this</b> binding, use <var>browsingContext</var>'s
      <code>WindowProxy</code> object.</li>
@@ -81701,6 +81714,7 @@ interface <dfn interface>Window</dfn> : <span>EventTarget</span> {
   attribute DOMString <span data-x="dom-window-status">status</span>;
   undefined <span data-x="dom-window-close">close</span>();
   readonly attribute boolean <span data-x="dom-window-closed">closed</span>;
+  readonly attribute boolean <span data-x="dom-window-anonymous">anonymous</span>;
   undefined <span data-x="dom-window-stop">stop</span>();
   undefined <span data-x="dom-window-focus">focus</span>();
   undefined <span data-x="dom-window-blur">blur</span>();
@@ -81900,6 +81914,9 @@ dictionary <dfn dictionary>WindowPostMessageOptions</dfn> : <span>StructuredSeri
 
    <li><p>If <var>noreferrer</var> is true, then set <var>noopener</var> to true.</p></li>
 
+   <li><p>If <span>entry global object</span>'s <span data-x="dom-window-anonymous">anonymous</span>
+   flag is true, then set <var>noopener</var> to true.</p></li>
+
    <li>
     <p>Let <var>target browsing context</var> and <var>windowType</var> be the result of applying
     <span>the rules for choosing a browsing context</span> given <var>target</var>, <var>source
@@ -84050,6 +84067,70 @@ interface <dfn interface>BarProp</dfn> {
 
 
 
+  <h3>Anonymous iframe</h3>
+
+  <p>Each <code>iframe</code> element has a mutable <code
+  data-x="attr-iframe-anonymous">anonymous</code> flag attribute.</p>
+
+  <p>Each <code>Window</code> has a constant <dfn attribute for="Window"
+  data-x="dom-window-anonymous"><code>anonymous</code></dfn> flag.</p>
+
+  <p>An <dfn>anonymous Window</dfn> is a <code>Window</code>, whose <code
+  data-x="dom-window-anonymous">anonymous</code> flag is true.</p>
+
+  <p>To compute the <dfn data-x="initial-window-anonymous">initial window anonymous flag</dfn>,
+  given a new <span data-x="concept-document-bc">browsing context</span> <var>browsing
+  context</var>:</p>
+  <ol class="brief">
+   <li><p>Set <var>embedder</var> be <var>browsing context</var>'s <span
+   data-x="bc-container">container</span>.</p>
+   <li><p>If <var>embedder</var> is not an element, return false.</p></li>
+   <li><p>Otherwise, set <var>parentWindow</var> be the <var>embedder</var>'s <span>node
+   document</span>'s <span>relevant global object</span>.</p></li>
+   <li><p>Return the union of:</p>
+    <ul class="brief">
+     <li><p><var>parentWindow</var>'s <code attribute for="Window"
+     data-x="dom-window-anonymous">anonymous</code></p></li>
+     <li><p><var>embedder</var>'s <span><code>iframe</code></span>'s <code
+     data-x="attr-iframe-anonymous">anonymous</code></p></li>
+    </ul>
+   </li>
+  </ol>
+
+  <p>To compute the <dfn data-x="navigation-anonymous">navigation's anonymous flag</dfn>,
+  given <span data-x="concept-document-bc">browsing context</span> <var>browsing
+  context</var>, follows the same steps as in the <span
+  data-x="initial-window-anonymous">initial window anonymous flag</span> algorithm.</p>
+
+  <p class="note">New <code>Window</code>'s <code data-x="dom-window-anonymous">anonymous</code>
+  flag is computed either from the <span data-x="initial-window-anonymous">initial window anonymous
+  flag</span> algorithm for new <span data-x="concept-document-bc">browsing context</span>, or from
+  the <span data-x="navigation-anonymous">navigation's anonymous flag</span> algorithm, executed
+  when the navigation started, for navigations inside pre-existing <span
+  data-x="concept-document-bc">browsing context</span>.</p>
+
+  <p class="note">Popup opened from <span>anonymous Window</span> are always with 'noopener' set</p>
+
+  <p class="note">Top-level <span>anonymous Window</span> do not exist.</p>
+
+  <p>Each top-level <span>Window</span> has an associated <dfn export>page anonymous nonce</dfn>. It
+  is an immutable nonce ("number used once").</p>
+
+  <p class="XXX">The <span>page anonymous nonce</span> is meant to be used for <span>anonymous
+  Window</span> as a key in <span>network-partition-keys</span>, storage-partition-keys, and
+  cookie-partition-keys for <span>anonymous Window</span>. See <a
+  href="https://github.com/whatwg/fetch/issues/904">Network state partitionning</a>, <a
+  href="https://privacycg.github.io/storage-partitioning/">Client-Side Storage Partitioning</a>, and
+  <a href="https://github.com/WICG/CHIPS">CHIPS (Cookies Having Independant Partitioned
+  State</a>.</p>
+
+  <p><dfn>Autofill and anonymous iframe</dfn>: User agents sometimes have features for helping users
+  fill forms in: for example prefilling the user's address, password, or payment informations. User
+  agents must disable those features when the data is both specific to the user and to the website.
+  </p>
+
+
+
   <h3>Cross-origin opener policies</h3>
 
   <p>A <dfn>cross-origin opener policy value</dfn> allows a document which is navigated to in a
@@ -85422,7 +85503,8 @@ interface <dfn interface>BarProp</dfn> {
 
   <p>To <dfn>check a navigation response's adherence to its embedder policy</dfn> given a <span
   data-x="concept-response">response</span> <var>response</var>, a <span>browsing context</span>
-  <var>target</var>, and an <span>embedder policy</span> <var>responsePolicy</var>:</p>
+  <var>target</var>, an <span>embedder policy</span> <var>responsePolicy</var>, and a boolean
+  <var>anonymous</var>:</p>
 
   <ol>
    <li><p>If <var>target</var> is not a <span>child browsing context</span>, then return
@@ -85435,18 +85517,18 @@ interface <dfn interface>BarProp</dfn> {
 
    <li><p>If <var>parentPolicy</var>'s <span data-x="embedder-policy-report-only-value">report-only
    value</span> is <span>compatible with cross-origin isolation</span> and
-   <var>responsePolicy</var>'s <span data-x="embedder-policy-value">value</span> is not, then
-   <span>queue a cross-origin embedder policy inheritance violation</span> with <var>response</var>,
-   "<code data-x="">navigation</code>", <var>parentPolicy</var>'s <span
-   data-x="embedder-policy-report-only-reporting-endpoint">report only reporting endpoint</span>,
-   "<code data-x="">reporting</code>", and <var>target</var>'s <span
+   <var>responsePolicy</var>'s <span data-x="embedder-policy-value">value</span> is not, and
+   <var>anonymous</var> is false, then <span>queue a cross-origin embedder policy inheritance
+   violation</span> with <var>response</var>, "<code data-x="">navigation</code>",
+   <var>parentPolicy</var>'s <span data-x="embedder-policy-report-only-reporting-endpoint">report
+   only reporting endpoint</span>, "<code data-x="">reporting</code>", and <var>target</var>'s <span
    data-x="bc-container-document">container document</span>'s <span>relevant settings
    object</span>.</p></li>
 
    <li><p>If <var>parentPolicy</var>'s <span data-x="embedder-policy-value">value</span> is not
    <span>compatible with cross-origin isolation</span> or <var>responsePolicy</var>'s <span
    data-x="embedder-policy-value">value</span> is <span>compatible with cross-origin
-   isolation</span>, then return true.</p></li>
+   isolation</span>, or <var>anonymous</var> is true, then return true.</p></li>
 
    <li><p><span>Queue a cross-origin embedder policy inheritance violation</span> with
    <var>response</var>, "<code data-x="">navigation</code>", <var>parentPolicy</var>'s <span
@@ -87571,6 +87653,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
    <dt><dfn data-x="navigation-params-sandboxing">final sandboxing flag set</dfn></dt>
    <dd>a <span>sandboxing flag set</span> to impose on the new <code>Document</code></dd>
 
+   <dt><dfn data-x="navigation-params-anonymous">anonymous</dfn></dt>
+   <dd>The anonymous flag to impose on the new <code>Window</code></dd>
+
    <dt><dfn data-x="navigation-params-coop">cross-origin opener policy</dfn></dt>
    <dd>a <span>cross-origin opener policy</span> to use for the new <code>Document</code></dd>
 
@@ -87823,6 +87908,10 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
    flags</span> given <var>browsingContext</var> and <var>browsingContext</var>'s <span
    data-x="bc-container">container</span>.</p></li>
 
+   <li><p>Let <var>anonymous</var> be the result of computing the <span
+   data-x="navigation-anonymous">navigation's anonymous flag</span>, given
+   <var>browsingContext.</var></p></li>
+
    <li><p>Let <var>allowedToDownload</var> be the result of running the <span>allowed to
    download</span> algorithm given the <span>source browsing context</span> and
    <var>browsingContext</var>.</p></li>
@@ -87893,8 +87982,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
        data-x="navigation-params-policy-container">policy container</span> is
        <var>policyContainer</var>, <span data-x="navigation-params-sandboxing">final sandboxing
        flag set</span> is <var>finalSandboxFlags</var>, <span
-       data-x="navigation-params-coop">cross-origin opener policy</span> is <var>coop</var>, <span
-       data-x="navigation-params-coop-enforcement-result">COOP enforcement result</span> is
+       data-x="navigation-params-anonymous">anonymous</span> is <var>anonymous</var>, <span
+       data-x="navigation-params-coop">cross-origin opener policy</span> is <var>coop</var>,
+       <span data-x="navigation-params-coop-enforcement-result">COOP enforcement result</span> is
        <var>coopEnforcementResult</var>, <span
        data-x="navigation-params-reserved-environment">reserved environment</span> is null, <span
        data-x="navigation-params-browsing-context">browsing context</span> is
@@ -87950,8 +88040,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
        data-x="navigation-params-policy-container">policy container</span> is
        <var>browsingContext</var>'s <span>active document</span>'s <span>policy container</span>,
        <span data-x="navigation-params-sandboxing">final sandboxing flag set</span> is
-       <var>finalSandboxFlags</var>, <span data-x="navigation-params-coop">cross-origin opener
-       policy</span> is <var>browsingContext</var>'s <span>active document</span>'s <span
+       <var>finalSandboxFlags</var>, <span data-x="navigation-params-anonymous">anonymous</span> is
+       <var>anonymous</var>, <span data-x="navigation-params-coop">cross-origin opener policy</span>
+       is <var>browsingContext</var>'s <span>active document</span>'s <span
        data-x="concept-document-coop">cross-origin opener policy</span>, <span
        data-x="navigation-params-coop-enforcement-result">COOP enforcement result</span> is
        <var>coopEnforcementResult</var>, <span
@@ -87986,10 +88077,11 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
 
      <dd><p>Run <span>process a navigate fetch</span> given <var>navigationId</var>,
      <var>resource</var>, the <span>source browsing context</span>, <var>browsingContext</var>,
-     <var>navigationType</var>, <var>sandboxFlags</var>, <var>historyPolicyContainer</var>,
-     <var>initiatorPolicyContainer</var>, <var>allowedToDownload</var>,
-     <var>hasTransientActivation</var>, <var>incumbentNavigationOrigin</var>,
-     <var>historyHandling</var>, and <var>unsafeNavigationStartTime</var>.</p></dd>
+     <var>navigationType</var>, <var>sandboxFlags</var>, <var>anonymous</var>,
+     <var>historyPolicyContainer</var>, <var>initiatorPolicyContainer</var>,
+     <var>allowedToDownload</var>, <var>hasTransientActivation</var>,
+     <var>incumbentNavigationOrigin</var>, <var>historyHandling</var>, and
+     <var>unsafeNavigationStartTime</var>.</p></dd>
 
      <dt>Otherwise, <var>resource</var> is a <span data-x="concept-request">request</span> whose
      <span data-x="concept-request-url">URL</span>'s <span data-x="concept-url-scheme">scheme</span>
@@ -88006,12 +88098,12 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
   data-x="navigation-id">navigation id</span> <var>navigationId</var>, <span
   data-x="concept-request">request</span> <var>request</var>, two <span data-x="browsing
   context">browsing contexts</span> <var>sourceBrowsingContext</var> and <var>browsingContext</var>,
-  a string <var>navigationType</var>, a <span>sandboxing flag set</span> <var>sandboxFlags</var>,
-  two <span data-x="policy container">policy containers</span> <var>historyPolicyContainer</var> and
-  <var>initiatorPolicyContainer</var>, a boolean <var>allowedToDownload</var>, a boolean
-  <var>hasTransientActivation</var>, an <span>origin</span> <var>incumbentNavigationOrigin</var>,
-  a <span>history handling behavior</span> <var>historyHandling</var>, and a number
-  <var>unsafeNavigationStartTime</var>:</p>
+  a string <var>navigationType</var>, a <span>sandboxing flag set</span> <var>sandboxFlags</var>, a
+  boolean <var>anonymous</var>, two <span data-x="policy container">policy containers</span>
+  <var>historyPolicyContainer</var> and <var>initiatorPolicyContainer</var>, a boolean
+  <var>allowedToDownload</var>, a boolean <var>hasTransientActivation</var>, an <span>origin</span>
+  <var>incumbentNavigationOrigin</var>, a <span>history handling behavior</span>
+  <var>historyHandling</var>, and a number <var>unsafeNavigationStartTime</var>:</p>
 
   <ol>
    <li><p>Let <var>response</var> be null.</p></li>
@@ -88290,6 +88382,7 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
    data-x="navigation-params-policy-container">policy container</span> is
    <var>resultPolicyContainer</var>, <span data-x="navigation-params-sandboxing">final sandboxing
    flag set</span> is <var>finalSandboxFlags</var>, <span
+   data-x="navigation-params-anonymous">anonymous</span> is <var>anonymous</var>, <span
    data-x="navigation-params-coop">cross-origin opener policy</span> is <var>responseCOOP</var>,
    <span data-x="navigation-params-coop-enforcement-result">COOP enforcement result</span> is
    <var>coopEnforcementResult</var>, <span data-x="navigation-params-reserved-environment">reserved
@@ -88339,8 +88432,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
     embedder policy">checking a navigation response's adherence to its embedder policy</span> given
     <var>response</var>, <var>browsingContext</var>, and <var>navigationParams</var>'s <span
     data-x="navigation-params-policy-container">policy container</span>'s <span
-    data-x="policy-container-embedder-policy">embedder policy</span> is false, then set
-    <var>failure</var> to true.</p>
+    data-x="policy-container-embedder-policy">embedder policy</span> and
+    <var>navigationparams</var>'s <span data-x="navigation-params-anonymous">anonymous</span> flag
+    is false, then set <var>failure</var> to true.</p>
 
     <p>Otherwise, if the result of <span data-x="check a navigation response's adherence to
     `X-Frame-Options`">checking a navigation response's adherence to
@@ -88705,7 +88799,10 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
     data-x="hh-replace">replace</code>", and <var>browsingContext</var>'s <span>active
     document</span>'s <span data-x="concept-document-origin">origin</span> is <span>same
     origin-domain</span> with <var>navigationParams</var>'s <span
-    data-x="navigation-params-origin">origin</span>, then do nothing.</p>
+    data-x="navigation-params-origin">origin</span>, and <var>browsingContext</var>'s <span>active
+    window</span>'s <span data-x="dom-window-anonymous">anonymous</span> flag matches
+    <var>navigationParams</var>'s <span data-x="navigation-params-anonymous">anonymous</span> flag,
+    then do nothing.</p>
 
     <p class="note">This means that both the <span data-x="is initial about:blank">initial
     <code>about:blank</code></span> <code>Document</code>, and the new <code>Document</code> that is
@@ -88739,7 +88836,9 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
       realm</span> given <var>agent</var> and the following customizations:</p>
 
       <ul>
-       <li><p>For the global object, create a new <code>Window</code> object.</p></li>
+       <li><p>For the global object, create a new <code>Window</code> object, with <code
+       data-x="attr-iframe-anonymous">anonymous</code> to <var>navigationParams</var>'s <span
+       data-x="navigation-params-anonymous">anonymous</span>.</p></li>
 
        <li><p>For the global <b>this</b> binding, use <var>browsingContext</var>'s
        <code>WindowProxy</code> object.</p></li>
@@ -123826,6 +123925,12 @@ interface <dfn interface>External</dfn> {
           <code data-x="attr-input-alt">input</code>
      <td> Replacement text for use when images are not available
      <td> <a href="#attribute-text">Text</a>*
+    <tr>
+     <th> <code data-x="">anonymous</code>
+     <td> <code data-x="attr-iframe-anonymous">iframe</code>
+     <td> Whether the <code>iframe</code>'s contents to be loaded using a new ephemeral storage
+     partition.
+     <td> <span>Boolean attribute</span>
     <tr>
      <th> <code data-x="">as</code>
      <td> <code data-x="attr-link-as">link</code>
