Skip to content

Pass a top-level navigation initiator origin to Fetch #10991

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Jul 25, 2025
Merged

Pass a top-level navigation initiator origin to Fetch #10991

merged 3 commits into from
Jul 25, 2025

Conversation

bvandersloot-mozilla
Copy link
Contributor

@bvandersloot-mozilla bvandersloot-mozilla commented Feb 4, 2025
edited by pr-preview bot
Loading

To un-logjam the cookie layering work, I've started whatwg/fetch#1807. That depends on this info to be piped into Fetch so we can actually specify in WHATWG what SameSite=Strict means.

This patch plumbs that through on top-level navigatable fetches.

This doesn't build because it relies upon the corresponding patch in Fetch. Let me know to land these.

  • At least two implementers are interested (and none opposed):
  • Tests are written and can be reviewed and commented upon at:
    • change is not observable, not needed?
  • Implementation bugs are filed:
    • change is to update spec interfacing, not needed?
  • Corresponding HTML AAM & ARIA in HTML issues & PRs:
  • MDN issue is filed:
    • I don't think this is needed?
  • The top of this comment includes a clear commit message to use.

(See WHATWG Working Mode: Changes for more details.)

/browsing-the-web.html ( diff )
/infrastructure.html ( diff )

@bvandersloot-mozilla bvandersloot-mozilla mentioned this pull request Feb 4, 2025
Merged
5 tasks
annevk
annevk reviewed Feb 27, 2025
View reviewed changes
Copy link
Member

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cc @johannhof

annevk
annevk reviewed Mar 7, 2025
View reviewed changes
Copy link
Member

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think one thing we identified that's worth looking into here is what happens if OPENER opens POPUP and then attempts to navigate POPUP's EMBED using named targeting.

@domenic domenic mentioned this pull request Mar 10, 2025
Open
6 tasks
@bvandersloot-mozilla
Copy link
Contributor Author

I think one thing we identified that's worth looking into here is what happens if OPENER opens POPUP and then attempts to navigate POPUP's EMBED using named targeting.

Looking into this, I think the only interesting case here is where OPENER is cross-origin to POPUP, because it is exactly this case where you have a non-ancestor initiator. This isn't possible to do because targeting is blocked by the cross-origin-ness of the opened window. We could test where OPENER and POPUP are same-origin, but that just feels like the existing iframe tests with extra steps. Let me know if you see anything worth testing here, but I don't see it.

annevk
annevk reviewed May 19, 2025
View reviewed changes
annevk
annevk approved these changes May 20, 2025
View reviewed changes
Copy link
Member

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks in order now from my perspective.

@annevk annevk mentioned this pull request May 20, 2025
Open
bvandersloot-mozilla and others added 2 commits July 25, 2025 11:05
@bvandersloot-mozilla @annevk
Pass a top-level navigation initiator origin to Fetch
0d87172 
This helps with the HTTP WG's layered cookies draft integration work. whatwg/fetch#1807 depends on this state being passed in so we can define SameSite=Strict properly.
@annevk
nit
abcd1d6
@annevk
Copy link
Member

annevk commented Jul 25, 2025

I'm going to land the PRs identified in #9000 (comment) (including this one) soonish. We have reduced the scope to essentially only tackle the new way we integrate with Cookies at the IETF (and only for the Cookie and Set-Cookie header at this point). So in effect this should be a non-normative change.

PRs building on top of this work will need to fill out the PR template completely however.

@annevk annevk merged commit 3b6a99b into whatwg:main Jul 25, 2025
2 checks passed
annevk added a commit to whatwg/fetch that referenced this pull request Jul 27, 2025
@bvandersloot-mozilla @johannhof @annevk
Integrate with HTTP WG's layered-cookies work
1d9380b 
This builds on whatwg/html#10991 and whatwg/html#11133. This should be a mostly editorial change, but with much more clarity about how the state flows into the IETF side.

Co-authored-by: Johann Hofmann <[email protected]>
Co-authored-by: Anne van Kesteren <[email protected]>
@kennethmyhra kennethmyhra mentioned this pull request Aug 11, 2025
Merged
pmeenan pushed a commit to pmeenan/fetch that referenced this pull request Aug 25, 2025
@bvandersloot-mozilla @johannhof
@annevk @pmeenan
Integrate with HTTP WG's layered-cookies work
8ec8d64 
This builds on whatwg/html#10991 and whatwg/html#11133. This should be a mostly editorial change, but with much more clarity about how the state flows into the IETF side.

Co-authored-by: Johann Hofmann <[email protected]>
Co-authored-by: Anne van Kesteren <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@domenic domenic domenic approved these changes

@annevk annevk annevk approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bvandersloot-mozilla @annevk @domenic