Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable get() in fenced frames with network access revoked. #220

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Enable get() in fenced frames with network access revoked. #220

wants to merge 10 commits into from

Conversation

VergeA
Copy link
Contributor

@VergeA VergeA commented Jan 21, 2025

After script running in a fenced frame successfully resolves a call to window.fence.disableUntrustedNetwork(), the fenced frame gains access to Shared Storage via get().

This patch refactors the get() algorithm to be accessible from Window and SharedStorageWorklet scopes, but the Window branch will fail outside of a fenced frame tree with network disabled.

This patch also specifies a new Permissions Policy, fenced-unpartitioned-storage-read, which can be used to disable access to get() in fenced frames. Its default allowlist is *.

VergeA added 5 commits January 21, 2025 09:19
@VergeA
Spec: Enable get() in fenced frames with network access revoked.
d4f7157 
After script running in a fenced frame successfully resolves a call to `window.fence.disableUntrustedNetwork()`, the fenced frame gains access to Shared Storage via `get()`.

This patch refactors the `get()` algorithm to be accessible from `Window` and `SharedStorageWorklet` scopes, but the `Window` branch will fail outside of a fenced frame tree with network disabled.
@VergeA
Merge pull request #1 from WICG/main
df5f480 
Merge main into read2
@VergeA
Add permissions policy section.
365970a
@VergeA
Fixes
2695c7f
@VergeA
Reorder addModule clause
d89e086
@VergeA VergeA marked this pull request as ready for review January 21, 2025 20:08
@jyasskin jyasskin mentioned this pull request Jan 21, 2025
Open
@VergeA VergeA changed the title [WIP] Enable get() in fenced frames with network access revoked. Enable get() in fenced frames with network access revoked. Jan 23, 2025
@VergeA
Copy link
Contributor Author

VergeA commented Jan 23, 2025

I think this should be ready for a first review. The spec roughly traces the path of the Chromium renderer code here, into the browser code here.

@xyaoinum, are you able to take a look at this? I don't have repo permissions to add reviewers directly. If not, I can find another reviewer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@VergeA