Spec shell of disableUntrustedNetwork() network revocation API (#169)

Co-authored-by: Garrett Tanzer <[email protected]>
Co-authored-by: Liam Brady <[email protected]>

spec.bs

@@ -1259,7 +1259,7 @@ A <dfn export>fenced frame config</dfn> is a [=struct=] with the following [=str
 
   : <dfn>embedder shared storage context</dfn>
   :: null, or a [=string=]
-  
+
   : <dfn>is ad component</dfn>
   :: A [=boolean=], initially false.
 
@@ -1315,8 +1315,11 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
 
   : <dfn>embedder shared storage context</dfn>
   :: null, or a [=string=]
-  
+
   : <dfn>is ad component</dfn>
+  :: A [=boolean=]
+
+  : <dfn>has disabled untrusted network</dfn>
   :: A [=boolean=], initially false.
 
   : <dfn>cross-origin reporting allowed</dfn>
@@ -1402,12 +1405,15 @@ A <dfn export>fenced frame config instance</dfn> is a [=struct=] with the follow
 
     : [=fenced frame config instance/embedder shared storage context=]
     :: |config|'s [=fenced frame config/embedder shared storage context=]
-    
+
     : [=fenced frame config instance/is ad component=]
     :: |config|'s [=fenced frame config/is ad component=]
 
     : [=fenced frame config instance/cross-origin reporting allowed=]
     :: |config|'s [=fenced frame config/cross-origin reporting allowed=]
+
+    : [=fenced frame config instance/has disabled untrusted network=]
+    :: false
 </div>
 
 Each [=browsing context=] has a <dfn for="browsing context">fenced frame config instance</dfn>,
@@ -1688,6 +1694,7 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
       undefined reportEvent(optional ReportEventType event = {});
       undefined setReportEventDataForAutomaticBeacons(optional FenceEvent event = {});
       sequence&lt;FencedFrameConfig&gt; getNestedConfigs();
+      Promise&lt;undefined&gt; disableUntrustedNetwork();
       undefined notifyEvent(Event event);
   };
 </pre>
@@ -1922,6 +1929,103 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
   </wpt>
 </div>
 
+<div algorithm>
+  The <dfn method for=Fence>disableUntrustedNetwork()</dfn> method steps are:
+
+  1. Let |p| be [=a new promise=].
+
+  1. Let |instance| be [=this=]'s [=relevant global object=]'s [=Window/browsing context=]'s
+     [=browsing context/fenced frame config instance=].
+
+  1. If the [=relevant settings object=]'s [=environment settings object/origin=] and
+     |instance|'s [=fenced frame config instance/mapped url=]'s [=url/origin=] are not [=same
+     origin=], then [=reject=] |p| with a {{TypeError}}.
+
+  1. If [=this=]'s [=relevant global object=]'s [=Window/navigable=]'s [=navigable/traversable
+     navigable=] is not a [=fenced navigable container/fenced navigable=], then [=resolve=] |p| with
+     {{undefined}} and return |p|.
+
+  1. Let |global| be [=this=]'s [=relevant global object=].
+
+  1. Run the following steps [=in parallel=]:
+
+     1. Let |fencedFrameNonce| be |instance|'s [=fenced frame config instance/partition nonce=].
+
+     1. Let |credentiallessNonce| be
+
+     Issue: the page credentialless nonce
+     (<a href="https://github.com/WICG/fenced-frame/issues/191">WICG/fenced-frame#191</a>)
+
+     1. Invoke [=revoke network for a partition nonce=] on |fencedFrameNonce|.
+
+     1. Invoke [=revoke network for a partition nonce=] on |credentiallessNonce|.
+
+     1. Set |instance|'s [=fenced frame config instance/has disabled untrusted network=] to true.
+
+     1. Wait on all nested fenced frames to disable network too.
+
+     Issue: Spec this waiting more formally.
+     (<a href="https://github.com/WICG/fenced-frame/issues/151">WICG/fenced-frame#151</a>)
+
+     1. [=Queue a global task=] on the [=DOM manipulation task source=] given |global|, to
+        [=resolve=] |p| with {{undefined}}.
+
+  1. Return |p|.
+</div>
+
+A user agent has an associated <dfn>network revocation nonce set</dfn>, which is a [=set=] of
+[=partition nonces=], and a <dfn>network revocation exemption map</dfn>, which is a [=map=] whose
+[=map/keys=] are [=partition nonces=] and [=map/values=] are [=sets=] of [=URLs=].
+
+Note: The [=network revocation exemption map=] is used only for web platform tests; in normal usage
+it is always empty. This list is modified directly in web platform tests by a function call to
+exempt specific URLs from network revocation.
+
+Issue: This will require a RFC to add a test-only function to the WPT web driver.
+(<a href="https://github.com/WICG/fenced-frame/issues/192">WICG/fenced-frame#192</a>)
+
+<div algorithm>
+  To <dfn>revoke network for a partition nonce</dfn> using a [=fenced frame config
+  instance/partition nonce=] |nonce|, run these steps:
+
+  1. [=set/Append=] |nonce| to the user agent's [=network revocation nonce set=].
+
+  1. [=fetch group/terminated|Terminate=] [=this=]'s [=relevant settings object=]'s
+     [=fetch/fetch group=].
+</div>
+
+<div algorithm>
+  To determine whether fetching a [=request=] <var ignore>request</var> <dfn>must be blocked due to
+  a revoked partition nonce</dfn> using a [=fenced frame config instance/partition nonce=] |nonce|
+  and a [=URL=] |requestURL|, run these steps:
+
+  1. If the user agent's [=network revocation exemption map=][|nonce|] [=map/exists=], and if
+     |requestURL| [=set/exists=] in it, return <b>allowed</b>.
+
+  1. If the user agent's [=network revocation nonce set=] [=set/contains=] |nonce|, return
+     <b>blocked</b>.
+
+  1. Return <b>allowed</b>.
+</div>
+
+<h3 id=disable-fetch>Fetch monkeypatches for network revocation</h3>
+
+The network revocation mechanism requires the following monkeypatches to the [[FETCH]] Standard.
+
+<div algorithm=network-revocation-check-patch>
+  In the [=fetch=] algorithm, step 7, where it says:
+
+    > If <a lt="block bad port">should <var>request</var> be blocked due to a bad port</a>,
+    > <a lt="should fetching request be blocked as mixed content?">
+    > should fetching <var>request</var> be blocked as mixed content</a>, or
+    > <a lt="should request be blocked by Content Security Policy?">should <var>request</var>
+    > be blocked by Content Security Policy</a> returns <b>blocked</b>, then set
+    > <var ignore>response</var> to a <a>network error</a>.
+
+  Add "[=must be blocked due to a revoked partition nonce=]" to the conditions after
+  "should request be blocked by Content Security Policy".
+</div>
+
 <h3 id=new-request-destination>New [=request=] [=request/destination=]</h3>
 
 The processing model of a <{fencedframe}>'s navigation request deviates from that of the normal