1. Introduction
This specification describes a content embedding API that satisfies some
critical use cases for IWAs that iframe
does not support. This embedding
environment should allow embedding all content without express permission from
the embedded site, including content which iframe
cannot embed, and provide
embedding sites more control over that embedded content.
Since this is a particularly powerful API, its use and availability makes an app a target of various types of hacking. As a result, this API is limited to use in Isolated Web Applications (IWAs) which have addtional safeguards in place to protect users and developers. IWAs are not a normal web application and can exist only at a special 'isolated-app:' scheme. This means by design that this API will not be available to normal web pages.
Note: This API is not intended to be a replacement or substitute for iframe
.
All iframe
use cases are still valid and should continue to use iframe
,
including IWAs where possible.
2. The Fenced Frame specification
For convenience, the Controlled Frame specification assumes that the Fenced Frame specification is in place. There are concepts introduced in the Fenced Frame specification, such as nested top-level traversables, that are broadly useful to refer to in the context of Controlled Frame.
The Fenced Frame specification achieves defining these concepts via monkey patching some specifications, such as HTML. We will also require monkey patching specifications for some parts of this Controlled Frame specification.
3. The controlledframe
element
- Categories:
- Flow content.
- Phrasing content.
- Embedded content.
- Interactive content.
- Palpable content.
- Phrasing content.
- Contexts in which this element can be used:
- Where embedded content is expected.
- Content model:
- Nothing.
- Content attributes:
- Global attributes
src
— Content source URL to embedpartition
— Partition name to hold data related to this content - Accessibility considerations:
- For authors.
- For implementers.
Note: These link to the accessibility definitions of the
iframe
element. From an accessibility perspective, acontrolledframe
should behave the same as aniframe
. - For implementers.
- DOM interface:
-
[
Exposed =Window ,IsolatedContext ]interface
:HTMLControlledFrameElement HTMLElement { [HTMLConstructor ]constructor (); [CEReactions ]attribute USVString src ;attribute DOMString partition ;readonly attribute WindowProxy ?contentWindow ;readonly attribute ContextMenus contextMenus ;readonly attribute WebRequest request ; // Navigation methods.Promise <boolean >back ();Promise <boolean >canGoBack ();Promise <boolean >forward ();Promise <boolean >canGoForward ();Promise <boolean >go (long
);relativeIndex undefined reload ();undefined stop (); // Scripting methods.Promise <undefined >addContentScripts (sequence <ContentScriptDetails >
);contentScriptList Promise <any >executeScript (optional InjectDetails
= {});details Promise <undefined >insertCSS (optional InjectDetails
= {});details Promise <undefined >removeContentScripts (optional sequence <DOMString >
); // Configuration methods.scriptNameList Promise <undefined >clearData (optional ClearDataOptions
= {},options optional ClearDataTypeSet
= {});types Promise <boolean >getAudioState ();Promise <long >getZoom ();Promise <DOMString >getZoomMode ();Promise <boolean >isAudioMuted ();undefined setAudioMuted (boolean
);mute Promise <undefined >setZoom (long
);zoomFactor Promise <undefined >setZoomMode (DOMString
); // Capture methods.zoomMode Promise <undefined >captureVisibleRegion (optional ImageDetails
= {});options undefined print (); // Events.attribute EventHandler onconsolemessage ;attribute EventHandler oncontentload ;attribute EventHandler ondialog ;attribute EventHandler onloadabort ;attribute EventHandler onloadcommit ;attribute EventHandler onloadstart ;attribute EventHandler onloadstop ;attribute EventHandler onnewwindow ;attribute EventHandler onpermissionrequest ;attribute EventHandler onsizechanged ;attribute EventHandler onzoomchange ; };
The controlledframe
element represents its embedded navigable.
Descendents of controlledframe
elements represent nothing.
The Controlled Frame element is exposed to any Document
with the
"controlled-frame
" policy-controlled feature whose
environment settings object is an isolated context.
The IDL attributes src
and
partition
must reflect
the respective content attributes of the same name.
Each controlledframe
has an associated:
-
embedded navigable, a traversable navigable with a non-null embedderParent, or null. It is initially null.
Note: The embedded navigable appears as a top-level traversable with a null parent. Content within the embedded navigable cannot detect that it is embedded.
-
content script map, a map whose keys are
DOMString
s and whose values are content script configs. -
contentWindow, a
WindowProxy
or null. -
request, a
WebRequest
. -
contextMenus, a
ContextMenus
.
The contentWindow
getter
steps are to return this’s contentWindow.
The request
getter steps
are to return this’s request.
The contextMenus
getter
steps are to return this’s contextMenus.
controlledframe
element element is inserted into a document
whose browsing context is non-null, run the following steps:
-
If element’s
src
is not empty, then:-
Initialize a controlledframe given element.
-
controlledframe
element element is removed from a document,
run the following steps:
-
Destroy a top-level traversable given element’s embedded navigable.
-
Set element’s embedded navigable to null.
controlledframe
element element, run the
following steps:
-
Assert that element’s embedded navigable is null.
-
Let group be a new browsing context group.
-
Let document be the second return value of creating a new browsing context and document given element’s node document, element, and group.
-
Let documentState be a new document state, whose document is document.
-
Let traversable be a new traversable navigable.
-
Initialize the navigable traversable given documentState.
-
Set traversable’s embedderParent to element.
-
Set element’s embedded navigable to traversable.
-
Let initialHistoryEntry be traversable’s active session history entry.
-
Set initialHistoryEntry’s step to 0.
-
Append initialHistoryEntry to traversable’s session history entries.
These steps are needed to initialize
History
.length
in the new navigable. This is an existing issue in the HTML Standard. -
Set element’s contentWindow to document’s
WindowProxy
. -
Navigate a controlledframe given element and element’s
src
.
controlledframe
element element given a
USVString
urlString, run the following steps:
-
If urlString is not an absolute-URL string, return.
-
Let url be the result of parsing a URL given urlString and element’s node document.
-
Let historyHandling be "
auto
". -
If element’s embedded navigable’s active document is not completely loaded, then set historyHandling to "
replace
". -
Navigate element’s embedded navigable to url using element’s node document, with a
NavigationHistoryBehavior
of historyHandling.
HTMLControlledFrameElement()
constructor steps are:
-
Set this’s request to a new
WebRequest
. -
Set this’s contextMenus to a new
ContextMenus
.
3.1. Common infrastructure
controlledframe
controlledframe, a promise promise, and an optional value,
run the following steps:
-
Queue a global task on the DOM manipulation task source of controlledframe’s relevant global object to resolve promise with value.
Note: The relevant global object of controlledframe is the embedder’s
Window
object.
controlledframe
controlledframe, a promise promise, and an optional value,
run the following steps:
-
Queue a global task on the DOM manipulation task source of controlledframe’s relevant global object to reject promise with value.
Note: The relevant global object of controlledframe is the embedder’s
Window
object.
URLPattern
pattern if the
following steps return true
:
-
Let result be the result of match given pattern, and url.
-
If result is null, then return
false
. -
Return
true
.
3.2. Attributes
The partition
attribute
takes an identifier specifying where data related to the Controlled Frame’s
instance should be stored. The identifier is composed of a string of
alphanumeric characters. All data for the embedded navigable must be stored
in a storage shelf keyed by this partition string along with the origin
that created the data.
By default, all data stored must be held in an in-memory storage partition so
that when the last Controlled Frame element with a given
partition
value is destroyed, the data is also
destroyed. While the data is held in this partition, no data from the
Controlled Frame’s embedded navigable shall persist.
If the partition attribute identifier contains the prefix "persist:", the user agent must use a disk-based storage environment rather than an in-memory storage partition. Embedded content should not be able to detect whether its storage is in-memory or persistent.
If multiple Controlled Frames share the same partition identifier, all of their embedded navigable instances must share the same storage partition.
Note: The [STORAGE] specification is monkey patched below to partition
storage based on the value of the partition
attribute.
partition
IDL attribute setter steps are:
-
If this’s embedded navigable is not null, then:
The src
attribute reflects the Controlled
Frame’s embedded navigable’s current session history entry’s
URL.
src
IDL attribute setter steps are:
-
If this is not in a document tree, then return.
-
If this’s embedded navigable is null, then:
-
Initialize a controlledframe given this.
-
-
Otherwise:
-
Navigate a controlledframe given this and the given value.
-
3.3. Navigation methods
back
()-
Goes back one step in the overall session history entries list for the traversable navigable in the Controlled Frame.
Returns a promise that resolves to
true
if the page was successfully navigated back, orfalse
if the navigation failed or there was no previous step. canGoBack
()-
Returns a promise that resolves to
true
if the current session history entry is not the first one in the embedded navigable’s session history entries. This means that there is a previous session history entry for the navigable. forward
()-
Goes forward one step in the overall session history entries list for the traversable navigable in the Controlled Frame.
Returns a promise that resolves to
true
if the page was successfully navigated forward, orfalse
if the navigation failed or there was no next step. canGoForward
()-
Returns a promise that resolves to
true
if the current session history entry is not the last one in the embedded navigable’s session history entries. This means that there is a next session history entry for the navigable. go
()-
Reloads the current page.
go
(relativeIndex)-
Goes back or forward relativeIndex number of steps in the overall session history entries list for the current traversable navigable.
A zero relative index will reload the current page.
Returns a promise that resolves to
true
if the page was successfully navigated, orfalse
if the navigation failed or the provided relative index was out of range. reload
()-
Reloads the current page.
stop
()-
Cancels the document load.
controlledframe
controlledframe and an integer delta, run the
following steps:
-
Let resultPromise be a new promise.
-
Return resultPromise and run the remaining steps in parallel.
-
Let embeddedNavigable be controlledframe’s embedded navigable.
-
If embeddedNavigable is null, then resolve an embedder promise given controlledframe, resultPromise, and
false
, and abort these steps. -
If embeddedNavigable’s active document is not fully active, then resolve an embedder promise given controlledframe, resultPromise, and
false
, and abort these steps. -
Append the following session history traversal steps to embeddedNavigable:
-
Let allSteps be the result of getting all used history steps for embeddedNavigable.
-
Let currentStepIndex be the index of embeddedNavigable’s current session history step within allSteps.
-
Let targetStepIndex be currentStepIndex + delta.
-
If allSteps[targetStepIndex] does not exist, then resolve an embedder promise given controlledframe, resultPromise, and
false
, and abort these steps. -
Let result be the result of applying the traverse history step allSteps[targetStepIndex] to embeddedNavigable given a user navigation involvement of "none".
-
If result is not equal to "
applied
", then resolve an embedder promise given controlledframe, resultPromise, andfalse
. -
Otherwise, resolve an embedder promise given controlledframe, resultPromise, and
true
.
-
canGoBack()
method steps are:
-
Let result be a new promise.
-
Let controlledframe be this.
-
Let embeddedNavigable be controlledframe’s embedded navigable.
-
If embeddedNavigable is null, then resolve result with
false
and return result. -
Queue a global task on the navigation and traversal task source of embeddedNavigable’s node document’s relevant global object that will run the following steps:
-
Let canGoBack be
true
if embeddedNavigable’s current session history step is > 0,false
otherwise. -
Resolve an embedder promise given controlledframe, result, and canGoBack.
-
-
Return result.
canGoForward()
method steps are:
-
Let result be a new promise.
-
Let controlledframe be this.
-
Let embeddedNavigable be controlledframe’s embedded navigable.
-
If embeddedNavigable is null, then resolve result with
false
and return result. -
Queue a global task on the navigation and traversal task source of embeddedNavigable’s node document’s relevant global object that will run the following steps:
-
Let step be embeddedNavigable’s current session history step.
-
Let steps be the result of getting all used history steps given embeddedNavigable.
-
Let canGoForward be
true
if step + 1 < the size of steps,false
otherwise. -
Resolve an embedder promise given controlledframe, result, and canGoForward.
-
-
Return result.
back()
method steps are:
-
Return the result of delta traverse an embedded navigable’s history given this and -1.
forward()
method steps
are:
-
Return the result of delta traverse an embedded navigable’s history given this and 1.
go(relativeIndex)
method steps are:
-
Return the result of delta traverse an embedded navigable’s history given this and relativeIndex.
reload()
steps are:
-
Let embeddedNavigable be this’s embedded navigable.
-
If embeddedNavigable is null, return.
-
Queue a global task on the navigation and traversal task source of embeddedNavigable’s node document’s relevant global object that will reload embeddedNavigable given a user navigation involvement of "none".
stop()
steps are:
-
Let embeddedNavigable be this’s embedded navigable.
-
If embeddedNavigable is null, return.
-
Queue a global task on the navigation and traversal task source of embeddedNavigable’s node document’s relevant global object that will stop loading embeddedNavigable.
3.4. Scripting methods
// One of |code| or |file| must be specified but not both.dictionary {
InjectDetails DOMString ;
code USVString ; };
file dictionary {
InjectionItems DOMString ;
code sequence <USVString >; };
files enum {
RunAt ,
"document-start" ,
"document-end" , };
"document-idle" dictionary {
ContentScriptDetails required DOMString ;
name InjectionItems ;
js InjectionItems ;
css required sequence <(URLPattern or URLPatternInput )>;
urlPatterns sequence <(URLPattern or URLPatternInput )>;
excludeURLPatterns boolean ;
allFrames boolean ;
matchAboutBlank RunAt ; };
runAt
A content script config is a struct with the following items:
- pendingFetchCount
-
a
long
representing the number of pending script/style fetches. - js
-
a list of
DOMString
s containing JavaScript that will be injected into a document. - css
-
a list of
DOMString
s containing CSS that will be injected into a document. - urlPatterns
-
a list of
URLPattern
s.Note: Content may be injected into a document if its URL matches any of these patterns.
- excludeURLPatterns
-
a list of
URLPattern
s.Note: Content will not be injected into a document if its URL matches any of these patterns. This overrides urlPattern; if both lists have entries that a document’s URL matches, the content will not be injected into the document.
- allFrames
-
a boolean indicating whether content should be injected into all frames in a page, or just the top-level frame.
- matchAboutBlank
-
a boolean indicating whether content should be injected into about:blank pages.
- runAt
-
a
RunAt
indicating when JavaScript content should be executed in a document’s lifecycle.
controlledframe
controlledframe, a USVString
urlString, a boolean isCss, a
long
index, and an algorithm completionSteps that takes a long
,
a boolean
, and a DOMString
, run the following steps:
Note: Fetch a classic script cannot be used here because the fetch needs to use controlledframe’s relevant settings object, but the classic script is executed using the embedded navigable’s active document’s relevant settings object.
-
If urlString is not an valid URL string, then:
-
Run completionSteps given 0,
false
, and "". -
Return.
-
-
Let request be a new request with the following fields:
- URL
-
The result of parsing a URL given urlString and controlledframe’s node document.
- method
-
"
GET
" - destination
-
"
style
" if isCss istrue
, "script
" otherwise - client
-
controlledframe’s relevant settings object
- mode
-
"
cors
"
-
Fetch request, with processResponseConsumeBody set to the following steps given a response response and a null, failure, or byte sequence contents:
-
If response’s status is not 200, or contents is null or failure, then run completionSteps given 0,
false
, and "" -
Otherwise, run completionSteps given index,
true
, and contents.
-
ContentScriptDetails
given a
controlledframe
controlledframe and a ContentScriptDetails
details, run the following steps:
-
Let result be a new promise.
-
If details["
js
"] and details["css
"] are both defined, or both undefined, then reject result with aTypeError
and return it. -
If details["
urlPatterns
"] is empty, then reject result with aTypeError
and return it. -
Let isCss be a boolean equal to
true
if details["css
"] is defined,false
otherwise. -
If isCss is
true
and details["runAt
"] does not equal "document-start
", then reject result with aTypeError
and return it. -
Let injectionItems be details["
css
"] if isCss istrue
, details["js
"] otherwise. -
If injectionItems["
code
"] and injectionItems["files
"] are both defined, or both undefined, reject result with aTypeError
and return it. -
Return result and run the remaining steps in parallel.
-
Let config be a new content script config with the following values:
- pendingFetchCount
-
0
- urlPatterns
-
«»
- excludeURLPatterns
-
«»
- allFrames
-
details["
allFrames
"] if defined, otherwisefalse
- matchAboutBlank
-
details["
matchAboutBlank
"] if defined, otherwisefalse
- runAt
-
details["
runAt
"] if defined, otherwisedocument-idle
-
For each urlPattern in details["
urlPatterns
"]:-
If urlPattern is a
URLPattern
, then append urlPattern to config’s urlPatterns. -
Otherwise, append a new
URLPattern
given urlPattern to config’s urlPatterns.
-
-
If details["
excludeURLPatterns
"] is defined, then:-
For each urlPattern in details["
excludeURLPatterns
"]:-
If urlPattern is a
URLPattern
, then append urlPattern to config’s excludeURLPatterns. -
Otherwise, append a new
URLPattern
given urlPattern to config’s excludeURLPatterns.
-
-
-
Let completionSteps be the following algorithm, which takes a
long
index, a boolean success, and aDOMString
source:-
If success is
false
, then reject an embedder promise given controlledframe, result, andTypeError
, and abort these steps. -
If isCss, then:
-
Set config’s css[index] to source.
-
-
Otherwise:
-
Set config’s js[index] to source.
-
-
Decrement config’s pendingFetchCount.
-
If config’s pendingFetchCount is greater than 0, then return.
-
Set controlledframe’s content script map[details[
name
]] to config. -
Resolve an embedder promise given controlledframe and result.
-
-
If injectionItems["
code
"] is defined, then:-
Run completionSteps given 0,
true
, and injectionItems ["code
"].
-
-
Otherwise:
-
If injectionItems["
files
"] is empty, then reject an embedder promise given controlledframe, result, andTypeError
, and abort these steps. -
For each urlString of injectionItems ["
files
"]:-
Run fetch an injection item given controlledframe, urlString, isCss, config’s pendingFetchCount, and completionSteps.
-
Increment config’s pendingFetchCount.
-
-
-
If isTopLevel is
false
, and config’s allFrames isfalse
, then returnfalse
. -
If url matches about:blank and config’s matchAboutBlank is
false
, then returnfalse
. -
Let urlString be the result of serializing url.
-
Let match be
false
. -
For each pattern of config’s urlPatterns:
-
If urlString matches a URLPattern pattern, then set match to
true
.
-
-
For each pattern of config’s excludeURLPatterns:
-
If urlString matches a URLPattern pattern, then set match to
false
.
-
-
Return match.
Document
document, and a RunAt
currentPhase, run the following steps:
-
Let embeddedNavigable be document’s node navigable’s traversable navigable.
-
If embeddedNavigable is null or its embedderParent is null, then return.
-
Let controlledframe be embeddedNavigable’s embedderParent.
-
Let url be document’s URL.
-
Let isTopLevel be
true
if document’s node navigable’s parent is null,false
otherwise. -
For each config of controlledframe’s content script map:
-
If the result of determining whether a content script config applies to a document given config, url, and isTopLevel equals
false
, then continue. -
If currentPhase is equal to
document-start
and config’s css is not empty, then:-
For each styleSource of config’s css, run inject a stylesheet into a document given document and styleSource.
-
-
Otherwise, if currentPhase equals config’s runAt, then:
-
For each scriptSource of config’s js, run inject a script into a document given document, scriptSource, and an empty algorithm.
-
-
Document
document and a DOMString
styleSource, run the following steps:
-
Let styleSheet be a new CSS style sheet object.
-
Synchronously replace the rules of a CSSStyleSheet given styleSheet and styleSource.
-
Queue a global task on the DOM manipulation task source of document’s global object to add a CSS style sheet given document and styleSheet.
The following algorithm executes script in a Document’s environment, but that isn’t the desired behavior. The goal, which cannot be specced with the current HTML specification infrastructure, is for this algorithm to execute script in an environment that is isolated from the Document’s environment with a different global object, but with shared access to the DOM. This execution environment is called an Isolated World in Blink, which uses it to execute content scripts in extensions. See this diagram for additional details about their execution model. Gecko uses a similar approach called Xray vision. This algorithm should eventually describe a speccable implementation of this isolation that can be implemented by all browsers.
Document
document,
a DOMString
scriptSource, and an algorithm completionSteps that takes
a completion record, run the following steps:
Note: document.currentScript
is intentionally not set while executing
scriptSource.
-
Let script be the result of creating a classic script given scriptSource, document’s relevant settings object, document’s URL, and the default script fetch options.
-
Queue a global task on the DOM manipulation task source of document’s global object that will run the following steps:
-
Let completionRecord be the result of running a classic script given script.
-
Let controlledframe be document’s node navigable’s traversable navigable’s embedderParent.
-
Queue a global task on the DOM manipulation task source of controlledframe’s relevant global object that will run completionSteps with completionRecord.
-
addContentScripts(contentScriptList)
method steps are:
-
If contentScriptList is empty, return a new promise that is rejected with a
TypeError
. -
Let promises be an empty list.
-
For each contentScript in contentScriptList:
-
Let promise be the result of calling validate and resolve ContentScriptDetails given contentScript.
-
Append promise to promises.
-
-
Return the result of getting a promise for waiting for all promises given promises.
removeContentScripts(scriptNameList)
method steps are:
-
Let result be a new promise.
-
Let controlledframe be this.
-
Return result and run the remaining steps in parallel.
-
If scriptNameList is undefined, then:
-
Clear controlledframe’s content script map.
-
-
Otherwise, for each name of scriptNameList:
-
Remove controlledframe’s content script map[name].
-
-
Resolve an embedder promise given controlledframe and result.
executeScript(details)
method steps are:
-
Let result be a new promise.
-
Let controlledframe be this.
-
Return result and run the remaining steps in parallel.
-
If controlledframe’s embedded navigable is null, then reject an embedder promise given controlledframe, result, and a
TypeError
, and abort these steps. -
If details["
code
"] and details"[file
"] are either both defined or both undefined, then reject an embedder promise given controlledframe, result, and aTypeError
, and abort these steps. -
Let executionSteps be the following algorithm that takes a
long
and aDOMString
or boolean scriptString:-
If scriptString is not a
DOMString
, then reject an embedder promise given controlledframe, result, and aTypeError
, and abort these steps. -
Let document be controlledframe’s embedded navigable’s active document.
-
Inject a script into a document given document, scriptString, and the following algorithm that accepts a completion record completionRecord:
-
If completionRecord is a normal completion, then:
-
Resolve an embedder promise given controlledframe, result, and completionRecord.
[[Value]]
.
-
-
Otherwise:
-
Reject an embedder promise given controlledframe, result, and completionRecord.
[[Value]]
.
-
-
-
-
If details["
code
"] is defined, then run executionSteps given 0 and details["code
"]. -
Otherwise, fetch an injection item given controlledframe, details["
file
"],false
, 0, and executionSteps.
insertCSS(details)
method steps are:
-
Let result be a new promise.
-
Let controlledframe be this.
-
Return result and run the remaining steps in parallel.
-
If controlledframe’s embedded navigable is null, then reject an embedder promise given controlledframe, result, and a
TypeError
, and abort these steps. -
If details["
code
"] and details["file
"] are either both defined or both undefined, then reject an embedder promise given controlledframe, result, and aTypeError
, and abort these steps. -
Let executionSteps be the following algorithm that takes a
long
, a boolean success, and aDOMString
styleString:-
If success is
false
, then reject an embedder promise given controlledframe, result, and aTypeError
, and abort these steps. -
Let document be controlledframe’s embedded navigable’s active document.
-
Inject a stylesheet into a document given document and styleString.
-
Resolve an embedder promise given controlledframe and result.
-
-
If details["
code
"] is defined, then run executionSteps given 0,true
, and details["code
"]. -
Otherwise, fetch an injection item given controlledframe, details["
file
"],false
, 0, and executionSteps.
3.5. Configuration methods
dictionary {
ClearDataOptions long ; };
since dictionary {
ClearDataTypeSet boolean ;
cache boolean ;
cookies boolean ;
fileSystems boolean ;
indexedDB boolean ;
localStorage boolean ;
persistentCookies boolean ; };
sessionCookies
long
since, run the
following steps:
Note: If possible, the user agent should only remove data that has been last used after since, which represents a timestamp in milliseconds since epoch. Not all user agents track write or access time for all browsing data. Implementations should respect since to the best of their ability, but the API does not guarantee its availability.
-
Let bottle be bucket[identifier].
-
Set bottle’s proxy map reference set to a new set.
clearData(options, types)
method steps are:
-
Let resultPromise be a new promise.
-
Let controlledframe be this.
-
Return resultPromise and run the remaining steps in parallel.
-
Let clearSince be 0.
-
If options["
since
"] is defined, set clearSince to options|["since
"]. -
Let embeddingOrigin be the top-level origin of controlledframe’s relevant settings object.
-
Let partition be controlledframe’s
partition
. -
For each storageKey → shelf of the user agent’s storage shed:
-
If storageKey’s embedding origin is not equal to embeddingOrigin or storageKey’s partition is not equal to partition, then continue.
-
Let bucket be shelf["
default
"]. -
If types["
fileSystems
"] istrue
:-
Empty a storage bottle given bucket, "
fileSystem
", and clearSince.
-
-
If types["
indexedDB
"] istrue
:-
Empty a storage bottle given bucket, "
indexedDB
", and clearSince.
-
-
If types["
localStorage
"] istrue
:-
Empty a storage bottle given bucket, "
localStorage
", and clearSince.
-
-
-
If types["
cookies
"], types["persistentCookies
"], or types["sessionCookies
"] aretrue
, then:The [COOKIES] specification does not support partitioning cookies through a mechanism like storage keys. The following steps will clear all cookies, but the intention is to only delete cookies created by content within a Controlled Frame with this Controlled Frame’s current
partition
.-
For each cookie in the user agent’s cookie store:
-
If cookie’s persistent-flag is set, then:
-
If types["
cookies
"] and types["persistentCookies
"] arefalse
, then continue.
-
-
Otherwise:
-
If types["
cookies
"] and types["sessionCookies
"] arefalse
, then continue.
-
-
If cookie’s last-access-time represented as milliseconds since the epoch is less than clearSince, then continue.
-
Remove cookie from the user agent’s cookie store.
-
-
-
If types["
cache
"] istrue
, then:-
For each storageKey → cache that the user agent manages: [HTTP-CACHING]
-
If storageKey’s embedding origin is not equal to embeddingOrigin or storageKey’s partition is not equal to partition, then continue.
-
Clear cache.
-
-
-
Resolve an embedder promise given controlledframe and resultPromise.
Each embedded navigable holds a
muted boolean, which defaults to
false
. When muted is true
, the user agent must
mute all audio streams originating from within the embedded navigable.
The muted state should not be exposed to content
within the embedded navigable; when muted is
true
, volume state should not be changed in any script-visible way, but the
underlying audio streams should not be audible to users.
getAudioState()
method steps are:
-
Let resultPromise be a new promise.
-
Let controlledframe be this.
-
Return resultPromise and run the remaining steps in parallel.
-
If controlledframe’s embedded navigable is null, then reject an embedder promise given controlledframe, resultPromise, and a
TypeError
, and abort these steps. -
Let playingAudio be
true
if any content, including in nested frames, within controlledframe’s embedded navigable is currently playing audio,false
otherwise. -
Resolve an embedder promise given controlledframe, resultPromise, and playingAudio.
isAudioMuted()
method steps are:
-
Let resultPromise be a new promise.
-
Let controlledframe be this.
-
Return resultPromise and run the remaining steps in parallel.
-
If controlledframe’s embedded navigable is null, then reject an embedder promise given controlledframe, resultPromise, and a
TypeError
, and abort these steps. -
Resolve an embedder promise given controlledframe, resultPromise, and controlledframe’s embedded navigable’s muted flag.
setAudioMuted(mute)
method steps are:
-
If this’s embedded navigable is null, then throw a
TypeError
. -
Set this’s embedded navigable’s muted flag to mute.
3.5.1. Zoom
enum {
ZoomMode ,
"per-origin" ,
"per-view" };
"disabled"
The user agent holds a Controlled Frame zoom map which is a map whose keys are tuples, and values are floats.
Each HTMLControlledFrameElement
holds a ZoomMode
zoomMode, which is defaulted to per-origin
.
Each HTMLControlledFrameElement
holds a float number currentZoom, initially set to 1.0f.
How zoom level is applied to a document given float zoomLevel is specific to the implementation.
This section is non-normative.
The valid ZoomMode
values behave as follows:
per-origin
-
Zoom changes will persist in the embedded document’s origin, i.e. all other
HTMLControlledFrameElement
in the samepartition
that are navigated to that same origin will be zoomed as well. per-view
-
Zoom changes only take effect in this
HTMLControlledFrameElement
, and zoom changes in otherHTMLControlledFrameElement
will not affect the zooming of thisHTMLControlledFrameElement
. disabled
-
Disables all zooming in the
HTMLControlledFrameElement
. The content will revert to the default zoom level, and all attempted zoom changes will be ignored.
To get the per-origin zoom level, given HTMLControlledFrameElement
e, run the following steps:
-
Let result be a float initially set to 1.0f.
-
Let key be the result of obtaining a Controlled Frame storage key given the environment associated e’s embedded navigable’s active document’s current settings object.
-
If Controlled Frame zoom map[key] exists, set result to the result of get the value of Controlled Frame zoom map given key key.
-
Return result.
To set the per-origin zoom level, given HTMLControlledFrameElement
e, and a float zoomLevel, run the following steps:
-
Let key be the result of obtaining a Controlled Frame storage key given the environment associated e’s embedded navigable’s active document’s current settings object.
-
Set the value of Controlled Frame zoom map given key key and value zoomLevel.
To determine whether current document has a per-origin zoom level, given HTMLControlledFrameElement
e, run the following steps:
-
Let key be the result of obtaining a Controlled Frame storage key given the environment associated e’s embedded navigable’s active document’s current settings object.
-
If Controlled Frame zoom map[key] exist, return
true
. -
Return
false
.
The getZoomMode()
method steps are:
-
Let p be a new promise.
-
Let controlledframe be this.
-
Return p and run the remaining steps in parallel.
-
Resolve an embedder promise given controlledframe, p, and controlledframe’s zoomMode.
The setZoomMode(zoomMode)
method steps are:
-
Let p be a new promise.
-
Let controlledframe be this.
-
Return p and run the remaining steps in parallel.
-
Let currentZoomMode be the result of
getZoomMode
given controlledframe. -
If currentZoomMode equals zoomMode, resolve an embedder promise given controlledframe and p.
-
Set controlledframe’s zoomMode to zoomMode.
-
If zoomMode is
per-origin
:-
If current document has a per-origin zoom level given controlledframe is
true
:-
Let oldZoomFactor be controlledframe’s currentZoom.
-
Set controlledframe’s currentZoom to the result of get the per-origin zoom level given controlledframe.
-
If oldZoomFactor does not equal to controlledframe’s currentZoom:
-
Apply zoom level to controlledframe’s embedded document given controlledframe’s currentZoom.
-
Fire a "zoomchange" event with controlledframe, oldZoomFactor, controlledframe’s currentZoom.
-
-
-
-
If zoomMode is
disabled
:-
Let oldZoomFactor be controlledframe’s currentZoom.
-
Set controlledframe’s currentZoom to 1.0f.
-
If oldZoomFactor does not equal to controlledframe’s currentZoom:
-
Apply zoom level to controlledframe’s embedded document given controlledframe’s currentZoom.
-
Fire a "zoomchange" event with controlledframe, oldZoomFactor, controlledframe’s currentZoom.
-
-
-
Resolve an embedder promise given controlledframe and p.
The getZoom()
method steps are:
-
Let p be a new promise.
-
Let controlledframe be this.
-
Return p and run the remaining steps in parallel.
-
Let embeddedNavigable be controlledframe’s embedded navigable.
-
If embeddedNavigable is null, then reject an embedder promise given controlledframe, p, and a
TypeError
, and abort these steps. -
Resolve an embedder promise given controlledframe, p, and controlledframe’s currentZoom.
The setZoom(zoomFactor)
method steps are:
-
Let p be a new promise.
-
Let controlledframe be this.
-
Return p and run the remaining steps in parallel.
-
Let embeddedNavigable be controlledframe’s embedded navigable.
-
If embeddedNavigable is null, then reject an embedder promise given controlledframe, p, and a
TypeError
, and abort these steps. -
If controlledframe’s ZoomMode is
disabled
:-
Reject an embedder promise given controlledframe, p, and a
TypeError
, and abort these steps.
-
-
If controlledframe’s ZoomMode is
per-origin
:-
Let oldZoomFactor be controlledframe’s currentZoom.
-
Set the per-origin zoom level given controlledframe and zoomFactor.
-
For each browsing context group group in the user agent’s browsing context group set:
-
For each top-level browsing context browsingContext in group:
-
Let embeddedDocument be browsingContext’s active document.
-
Let embedder be embeddedDocument’s node navigable’s embedderParent.
-
If embedder is null, then continue.
-
Let match be
true
if all of the following conditions aretrue
:-
embedder’s ZoomMode is
per-origin
-
embeddedDocument’s origin equals controlledframe’s embedded navigable’s active document’s origin
-
embedder’s currentZoom does not equal zoomFactor
-
-
If match is
true
, then:-
Set embedder’s currentZoom to zoomFactor.
-
Apply zoom level to embeddedDocument given zoomFactor.
-
Fire a "zoomchange" event with embedder, oldZoomFactor, and zoomFactor.
-
-
-
-
-
If controlledframe’s ZoomMode is
per-view
:-
Let oldZoomFactor be controlledframe’s currentZoom.
-
Set controlledframe’s currentZoom to zoomFactor.
-
If oldZoomFactor does not equal to controlledframe’s currentZoom:
-
Apply zoom level to controlledframe’s embedded document given controlledframe’s currentZoom.
-
Fire a "zoomchange" event with controlledframe, oldZoomFactor, controlledframe’s currentZoom.
-
-
-
Resolve an embedder promise given controlledframe and p.
3.6. Capture methods
// One of |code| or |file| must be specified but not both.dictionary {
ImageDetails DOMString ;
format DOMString ; };
quality
captureVisibleRegion(options)
method steps are:
-
Let resultPromise be a new promise.
-
Let controlledframe be this.
-
Return resultPromise and run the remaining steps in parallel.
-
If controlledframe’s embedded navigable is null, then reject an embedder promise given controlledframe, resultPromise, and a
TypeError
, and abort these steps. -
Let optionsFormat be "JPEG" by default.
-
Let optionsQuality be 100 by default.
-
If options has field "format":
-
Let optionsFormat be options["format"].
-
-
If optionsFormat is an unrecognized format, then reject an embedder promise given controlledframe, resultPromise, and a
TypeError
, and abort these steps. -
If options has field "quality":
-
Let optionsQuality be options["quality"].
-
-
If optionsQuality is not an integer or is not between 0 and 100 inclusive, then reject an embedder promise given controlledframe, resultPromise, and a
TypeError
, and abort these steps. -
Let imageData be a an image showing the visible region of the embedded content encoded in optionsFormat at quality optionsQuality.
Note: The set of supported image formats is implementation-defined, but it is recommended to support at least "JPEG" and "PNG".
-
Resolve an embedder promise given controlledframe, resultPromise, and a
data:
URL that contains imageData.
print()
method steps are:
-
If this’s embedded navigable is null, then throw a
TypeError
. -
Initiate the browser print page feature for embedded content.
3.7. Events
HTMLControlledFrameElement
implements EventTarget
and supports the following event handlers (and their corresponding event handler event types).
Event handlers | Event handler event types |
---|---|
onconsolemessage
| consolemessage |
oncontentload
| contentload |
ondialog
| dialog |
onloadabort
| loadabort |
onloadcommit
| loadcommit |
onloadstart
| loadstart |
onloadstop
| loadstop |
onnewwindow
| newwindow |
onpermissionrequest
| permissionrequest |
onsizechanged
| sizechanged |
onzoomchange
| zoomchange |
The interactive events:
The UI-change events:
-
onsizechanged
- fired when the embedded web content has been resized via autosize. Only fires if autosize is enabled.
The navigation events:
-
oncontentload
- fired when theWindow
associated with embedded navigable fires a load event. -
onloadabort
- fired when navigation has exited before completion. -
onloadcommit
- fired when navigation has been completed. -
onloadstart
- fired when navigation (including reloads and traversals) starts, for every navigable of the embedded document, but not same document navigation. -
onloadstop
- fired when all pending navigations finish(either commit or abort). If a new navigation starts after, loadstop may fire again.
Each HTMLControlledFrameElement
has a load counter which is a number that is initially zero.
Each time a onloadstart
event fires, load counter increases by 1.
Each time a onloadabort
event fires, load counter decreses by 1.
Each time a onloadcommit
event fires, load counter decreses by 1.
When load counter changes from a non-zero number to 0, fire a "loadstop" event.
3.7.1. consolemessage
[Exposed =Window ,IsolatedContext ]interface {
ConsoleMessage readonly attribute long ;
level readonly attribute DOMString ; }; [
message Exposed =Window ,IsolatedContext ]interface :
ConsoleMessageEvent Event {(
constructor DOMString ,
type optional ConsoleMessageEventInit = {});
eventInitDict readonly attribute ConsoleMessage ; };
consoleMessage dictionary :
ConsoleMessageEventInit EventInit {ConsoleMessage ?; };
consoleMessage
To fire a ConsoleMessageEvent
e given controlledframe
element target, a long logLevel and a DOMString message, run the following steps:
-
Let consoleMessage be a new
ConsoleMessage
object. -
Set the following fields of consoleMessage:
-
Set e’s
consoleMessage
to consoleMessage. -
Queue a global task on the DOM manipulation task source of target’s relevant global object to dispatch e at target.
3.7.2. dialog
enum {
DialogType ,
"alert" ,
"confirm" }; [
"prompt" Exposed =Window ,IsolatedContext ]interface {
DialogController undefined okay (optional DOMString );
response undefined cancel (); }; [Exposed =Window ,IsolatedContext ]interface {
DialogMessage readonly attribute DialogType ;
messageType readonly attribute DOMString ;
messageText readonly attribute DialogController ; }; [
dialog Exposed =Window ,IsolatedContext ]interface :
DialogEvent Event {(
constructor DOMString ,
type optional DialogEventInit = {});
eventInitDict readonly attribute DialogMessage ; };
dialogMessage dictionary :
DialogEventInit EventInit {DialogMessage ?; };
dialogMessage
Each DialogController
has:
-
A boolean accept, initially set to
false
. -
A DOMString response, initally an empty string.
The cancel()
method steps are:
-
Set accept to
false
.
To fire a DialogEvent
e given
controlledframe
element target, simple-dialogs type dialogType, and
message message, run the following steps:
-
Assert that e["
dialogMessage
"]["dialog
"]["accept"] equalsfalse
. -
Let dialogMessage be a new
DialogMessage
object. -
Let dialog be a new
DialogController
object. -
Set the following fields of dialogMessage:
messageType
-
dialogType.
messageText
-
message.
dialog
-
dialog.
-
Set e’s
dialogMessage
to dialogMessage. -
Let complete be
false
. -
Queue a global task on the DOM manipulation task source of target’s relevant global object to run the following steps:
-
Dispatch e at target.
-
Set complete to
true
.
-
-
Synchronously wait for complete to be
true
.Note: Blocking here is intentional as the alert, confirm, and prompt dialogs represented by "dialog" events block the main thread, and the event handlers we’re calling here can affect the return values.
-
Return e["
dialogMessage
"]["dialog
"]["accept"] and e["dialogMessage
"]["dialog
"]["response"].
3.7.3. newwindow
enum {
WindowOpenDisposition ,
"ignore" ,
"save_to_disk" ,
"current_tab" ,
"new_background_tab" ,
"new_foreground_tab" ,
"new_window" }; [
"new_popup" Exposed =Window ,IsolatedContext ]interface {
NewWindowController undefined attach (HTMLControlledFrameElement );
newControlledFrame undefined discard (); }; [Exposed =Window ,IsolatedContext ]interface {
NewWindow readonly attribute NewWindowController ;
window readonly attribute USVString ;
targetUrl readonly attribute DOMString ;
name readonly attribute WindowOpenDisposition ; }; [
windowOpenDisposition Exposed =Window ,IsolatedContext ]interface :
NewWindowEvent Event {(
constructor DOMString ,
type optional NewWindowEventInit = {});
eventInitDict readonly attribute NewWindow ; };
newWindow dictionary :
NewWindowEventInit EventInit {NewWindow ?; };
newWindow
Each NewWindowController
has reference to a
target navigable, which is initially null.
The attach(newControlledFrame)
method steps are:
-
Set newControlledFrame’s embedded navigable to this’s target navigable.
The discard()
method steps are:
-
If this’s target navigable is not null, then close a top-level traversable given this’s target navigable.
To fire a NewWindowEvent
e
given controlledframe
element controlledFrame, USVString
url,
DOMString
target, navigable targetNavigable, and
WindowOpenDisposition
windowOpenDisposition, run the following steps:
-
Let controller be a new
NewWindowController
object. -
Set controller’s target navigable to targetNavigable.
-
Set the following fields of newWindow:
window
-
controller
targetUrl
-
url
name
-
target.
windowOpenDisposition
-
windowOpenDisposition
-
Set e’s
newWindow
to newWindow. -
Queue a global task on the DOM manipulation task source of controlledFrame’s relevant global object to dispatch e at controlledFrame.
3.7.4. permissionrequest
enum {
PermissionType ,
"media" ,
"geolocation" ,
"pointerLock" ,
"download" ,
"filesystem" ,
"fullscreen" , }; [
"hid" Exposed =Window ,IsolatedContext ]interface {
PermissionRequestControllerBase undefined allow ();undefined cancel (); }; [Exposed =Window ,IsolatedContext ]interface :
MediaPermissionRequestController PermissionRequestControllerBase {readonly attribute USVString ; }; [
url Exposed =Window ,IsolatedContext ]interface :
GeolocationPermissionRequestController PermissionRequestControllerBase {readonly attribute USVString ; }; [
url Exposed =Window ,IsolatedContext ]interface :
PointerLockPermissionRequestController PermissionRequestControllerBase {readonly attribute boolean ;
lastUnlockedBySelf readonly attribute boolean ;
userGesture readonly attribute USVString ; }; [
url Exposed =Window ,IsolatedContext ]interface :
DownloadPermissionRequestController PermissionRequestControllerBase {readonly attribute DOMString ;
requestMethod readonly attribute USVString ; }; [
url Exposed =Window ,IsolatedContext ]interface :
FileSystemPermissionRequestController PermissionRequestControllerBase {readonly attribute USVString ; }; [
url Exposed =Window ,IsolatedContext ]interface :
FullscreenPermissionRequestController PermissionRequestControllerBase {readonly attribute USVString ; }; [
origin Exposed =Window ,IsolatedContext ]interface :
HidPermissionRequestController PermissionRequestControllerBase {readonly attribute USVString ; }; [
url Exposed =Window ,IsolatedContext ]interface {
PermissionRequest readonly attribute PermissionType ;
permission readonly attribute PermissionRequestControllerBase ; }; [
request Exposed =Window ,IsolatedContext ]interface :
PermissionRequestEvent Event {(
constructor DOMString ,
type optional PermissionRequestEventInit = {});
eventInitDict readonly attribute PermissionRequest ; };
permissionRequest dictionary :
PermissionRequestEventInit EventInit {PermissionRequest ?; };
permissionRequest
Each PermissionRequestControllerBase
has a boolean value allow, which is initially false
.
The allow()
method steps are:
-
Set allow to
true
.
The cancel()
method steps are:
-
Set allow to
false
.
To fire a
PermissionRequestEvent
e given a document embeddedDocument,
controlledframe
element target, DOMString type, USVString url, an
optional dictionary options, and an algorithm completionSteps that takes
a boolean, run the following steps:
-
Let permissionRequest be a new
PermissionRequest
object. -
If type is "media":
-
Let requestController be a new
MediaPermissionRequestController
with the following attributes:url
-
url
-
-
If type is "geolocation":
-
Let requestController be a new
GeolocationPermissionRequestController
with the following attributes:url
-
url
-
-
If type is "pointerLock":
-
Let requestController be a new
PointerLockPermissionRequestController
with the following attributes:lastUnlockedBySelf
-
options["lastUnlockedBySelf"]
userGesture
-
options["userGesture"]
url
-
url
-
-
If type is "download":
-
Let requestController be a new
DownloadPermissionRequestController
with the following attributes:requestMethod
-
options["requestMethod"]
url
-
url
-
-
If type is "filesystem":
-
Let requestController be a new
FileSystemPermissionRequestController
with the following attributes:url
-
url
-
-
If type is "fullscreen":
-
Let requestController be a new
FullscreenPermissionRequestController
with the following attributes:origin
-
origin of url
-
-
If type is "hid":
-
Let requestController be a new
HidPermissionRequestController
with the following attributes:url
-
url
-
-
Set the following fields of permissionRequest:
request
-
requestController
permission
-
type.
-
Set e’s
permissionRequest
to permissionRequest. -
Queue a global task on the DOM manipulation task source of target’s relevant global object to run the following steps:
-
Dispatch e at target.
-
Queue a global task on the DOM manipulation task source of embeddedDocument’s relevant global object that runs completionSteps with e["
permissionRequest
"]["permission
"]["allow"].
-
3.7.5. sizechanged
[Exposed =Window ,IsolatedContext ]interface {
SizeChange readonly attribute unsigned long ;
oldWidth readonly attribute unsigned long ;
oldHeight readonly attribute unsigned long ;
newWidth readonly attribute unsigned long ; }; [
newHeight Exposed =Window ,IsolatedContext ]interface :
SizeChangedEvent Event {(
constructor DOMString ,
type optional SizeChangedEventInit = {});
eventInitDict readonly attribute SizeChange ; };
sizeChange dictionary :
SizeChangedEventInit EventInit {SizeChange ?; };
sizeChange
To fire a SizeChangedEvent
e given controlledframe
element target, 4 non-negative numbers oldWidth, oldHeight, newWidth, newHeight:
-
Let sizeChange be a new
SizeChange
object. -
Set the following fields of sizeChange:
-
Set e’s
sizeChange
to sizeChange. -
Queue a global task on the DOM manipulation task source of target’s relevant global object to dispatch e at target.
3.7.6. zoomchange
[Exposed =Window ,IsolatedContext ]interface {
ZoomChange readonly attribute float ;
oldZoomFactor readonly attribute float ; }; [
newZoomFactor Exposed =Window ,IsolatedContext ]interface :
ZoomChangeEvent Event {(
constructor DOMString ,
type optional ZoomChangeEventInit = {});
eventInitDict readonly attribute ZoomChange ; };
zoomChange dictionary :
ZoomChangeEventInit EventInit {ZoomChange ?; };
zoomChange
To fire a ZoomChangeEvent
e given controlledframe
element target, 2 float numbers oldZoomFactor, newZoomFactor:
-
Let zoomChange be a new
ZoomChange
object. -
Set the following fields of zoomChange:
oldZoomFactor
-
oldZoomFactor.
newZoomFactor
-
newZoomFactor.
-
Set e’s
zoomChange
to zoomChange. -
Queue a global task on the DOM manipulation task source of target’s relevant global object to dispatch e at target.
3.7.7. contentload
[Exposed =Window ,IsolatedContext ]interface :
ContentLoadEvent Event {(
constructor DOMString ,
type optional EventInit = {}); };
eventInitDict
To fire a ContentLoadEvent
e given controlledframe
element target, run the following steps:
-
Queue a global task on the DOM manipulation task source of target’s relevant global object to dispatch e at target.
3.7.8. loadabort
[Exposed =Window ,IsolatedContext ]interface {
LoadInfo readonly attribute USVString ;
url readonly attribute boolean ; }; [
isTopLevel Exposed =Window ,IsolatedContext ]interface :
LoadAbortInfo LoadInfo {readonly attribute long ;
code readonly attribute DOMString ; }; [
reason Exposed =Window ,IsolatedContext ]interface {
LoadRedirectInfo readonly attribute USVString ;
oldUrl readonly attribute USVString ;
newUrl readonly attribute boolean ; }; [
isTopLevel Exposed =Window ,IsolatedContext ]interface :
LoadAbortEvent Event {(
constructor DOMString ,
type optional LoadAbortEventInit = {});
eventInitDict readonly attribute LoadAbortInfo ; };
loadAbortInfo dictionary :
LoadAbortEventInit EventInit {LoadAbortInfo ?; };
loadAbortInfo
To fire a LoadAbortEvent
e given controlledframe
element target,
a USVString url, a boolean isTopLevel, a long code, and a DOMString
reason, run the following steps:
-
Let info be a new
LoadAbortInfo
with the following attributes:url
-
url
isTopLevel
-
isTopLevel
code
-
code
reason
-
reason
-
Set e’s
loadAbortInfo
to info. -
Queue a global task on the DOM manipulation task source of target’s relevant global object to dispatch e at target.
3.7.9. loadcommit
[Exposed =Window ,IsolatedContext ]interface :
LoadCommitEvent Event {(
constructor DOMString ,
type optional LoadCommitEventInit = {});
eventInitDict readonly attribute LoadInfo ; };
loadInfo dictionary :
LoadCommitEventInit EventInit {LoadInfo ?; };
loadInfo
To fire a LoadCommitEvent
e given controlledframe
element target,
a USVString url, and a boolean isTopLevel, run the following steps:
-
Let info be a new
LoadInfo
with the following attributes:url
-
url
isTopLevel
-
isTopLevel
-
Set e’s
loadInfo
to info. -
Queue a global task on the DOM manipulation task source of target’s relevant global object to dispatch e at target.
3.7.10. loadstart
[Exposed =Window ,IsolatedContext ]interface :
LoadStartEvent Event {(
constructor DOMString ,
type optional LoadStartEventInit = {});
eventInitDict readonly attribute LoadInfo ; };
loadInfo dictionary :
LoadStartEventInit EventInit {LoadInfo ?; };
loadInfo
To fire a LoadStartEvent
e given controlledframe
element target,
a USVString url, and a boolean isTopLevel, run the following steps:
-
Let info be a new
LoadInfo
with the following attributes:url
-
url
isTopLevel
-
isTopLevel
-
Set e’s
loadInfo
to info. -
Queue a global task on the DOM manipulation task source of target’s relevant global object to dispatch e at target.
3.7.11. loadstop
[Exposed =Window ,IsolatedContext ]interface :
LoadStopEvent Event {(
constructor DOMString ,
type optional LoadStopEventInit = {}); };
eventInitDict dictionary :
LoadStopEventInit EventInit { };
To fire a LoadStopEvent
e
given controlledframe
element target, run the following steps:
-
Queue a global task on the DOM manipulation task source of target’s relevant global object to dispatch e at target.
3.7.12. loadredirect
[Exposed =Window ,IsolatedContext ]interface :
LoadRedirectEvent Event {(
constructor DOMString ,
type optional LoadRedirectEventInit = {});
eventInitDict readonly attribute LoadRedirectInfo ; };
loadRedirectInfo dictionary :
LoadRedirectEventInit EventInit {LoadRedirectInfo ?; };
loadRedirectInfo
To fire a LoadRedirectEvent
e given controlledframe
element target, an URL oldUrl, an
URL newUrl, and a boolean isTopLevel, run the following steps:
-
Let info be a new
LoadInfo
with the following attributes:oldUrl
-
The result of serializing an URL given oldUrl
newUrl
-
The result of serializing an URL given newUrl
isTopLevel
-
isTopLevel
-
Set e’s
loadRedirectInfo
to info. -
Queue a global task on the DOM manipulation task source of target’s relevant global object to dispatch e at target.
3.7.13. Monkey Patches
3.7.13.1. [HTML]
For alert:
-
Set message to the result of optionally truncating message.
- Let embedderParent be window’s navigable’s embedderParent. .
-
If embedderParent is a
HTMLControlledFrameElement
, then fire a "dialog" event with embedderParent, "alert" and message, and return.
For confirm:
-
Set message to the result of optionally truncating message.
- Let embedderParent be window’s navigable’s embedderParent. .
-
If embedderParent is a
HTMLControlledFrameElement
, then return the result of firing a "dialog" event with embedderParent, "confirm", and message.
For prompt:
-
Set default to the result of optionally truncating default.
- Let embedderParent be window’s navigable’s embedderParent. .
-
If embedderParent is a
HTMLControlledFrameElement
, then:- Let accept and response be the results of firing a "dialog" event with embedderParent, "prompt" and message.
-
If accept equals
false
, return null. - Return response.
For window open steps:
-
Let windowOpenDisposition be "
ignore
". - Let embedderParent be sourceDocument’s node navigable’s embedderParent.
...
-
If targetNavigable is null:
-
If embedderParent is not null:
- Fire a "newwindow" event with embedderParent, url, target, targetNavigable, and windowOpenDisposition.
- Return null.
-
If embedderParent is not null:
-
If windowType is either "new and unrestricted" or "new with no opener", then:
-
Set windowOpenDisposition to one of
"
new_background_tab
", "new_foreground_tab
", or "new_window
".
Note: The value depends on the behavior support of the user agent and user settings.
-
Set targetNavigable’s active browsing context’s is popup to the result of checking if a popup window is requested, given tokenizedFeatures.
-
If targetNavigable’s active browsing context’s is popup
is
true
, set windowOpenDisposition to "new_popup
".
...
-
Set windowOpenDisposition to one of
"
-
Otherwise:
-
Set windowOpenDisposition to
"
current_tab
".
...
-
Set windowOpenDisposition to
"
Note: Step 15 and 16 also navigate targetNavigable; during navigation,
windowOpenDisposition may also be updated. For example, if navigation is
prevented, windowOpenDisposition may be set to
"ignore
". If the navigation response resulted in
download, then windowOpenDisposition may be set to
"save_to_disk
".
-
If embedderParent is not null:
- Fire a "newwindow" event with embedderParent, url, target, targetNavigable, and windowOpenDisposition.
For completely finish loading:
-
Otherwise, if container is non-null, then queue an element task on the DOM manipulation task source given container to fire an event named load at container.
- Let embedderParent be document’s node navigable’s embedderParent.
-
If embedderParent is
HTMLControlledFrameElement
, then Fire a "contentload" event with embedderParent.
Monkey-patch for loadstart, loadabort, and loadcommit which looks like the following:
-
loadstart -> at the navigation entry points: normal navigation, reloads, traversal.
-
loadcommit -> at the common navigation completion point.
-
loadabort -> at each early exist points of the algorithm between loadstart and loadcommit.
For each of these, check whether the top-level traversable of the navigable has an embedderParent of HTMLControlledFrameElement
, if so, then fire the corresponding event with input arguments.
3.7.13.2. [FETCH]
For HTTP fetch(loadredirect):
-
If internalResponse’s status is a redirect status:
-
If request’s window window is a environment settings object whose global object is a
Window
object:- Let currentNavigable be window’s associated navigable.
- Let embedderParent be currentNavigable’s top-level traversable’s embedderParent.
-
If embedderParent is a
HTMLControlledFrameElement
:1. Let oldUrl be request’s associated URL.
1. Let newUrl be response’s location url.
1. Let isTopLevel be
false
, if currentNavigable has a null parent set isTopLevel totrue
.1. Fire a "loadredirect" event with embedderParent, oldUrl, newUrl, and isTopLevel.
-
If request’s window window is a environment settings object whose global object is a
3.7.13.3. [Permissions]
Define new algorithm:
To determine if a Document document is allowed by embedder to use a permission given DOMString permission, an optional dictionary options, and an algorithm completionSteps that takes a boolean, run the following steps:
-
Let embedderParent be document’s node navigable’s embedderParent.
-
If embedderParent is not
HTMLControlledFrameElement
, returntrue
. -
Fire a "permissionrequest" event with document, embedderParent, permission, document’s URL, options, and completionSteps.
For request a position (geolocation):
-
If document is not allowed to use the "geolocation" feature:
-
If watchId was passed, remove watchId from watchIDs.
-
Call back with error passing errorCallback and PERMISSION_DENIED.
-
Terminate this algorithm.
-
-
Let blockedByEmbedder be
false
. - Check if document is allowed by embedder to use the "geolocation" feature given an algorithm that assigns its boolean argument to blockedByEmbedder and continues with the remainder of these steps.
-
If blockedByEmbedder is
true
, then:- If watchId was passed, remove watchId from watchIDs.
- Call back with error passing errorCallback and PERMISSION_DENIED.
- Terminate this algorithm.
- Let embedderParent be document’s node navigable’s embedderParent.
-
If embedderParent is
HTMLControlledFrameElement
:-
Let nodeDocument be embedderParent’s node document.
-
If nodeDocument is null:
- If watchId was passed, remove watchId from watchIDs.
- Call back with error passing errorCallback and PERMISSION_DENIED.
- Terminate this algorithm.
- Let embedderNavigator be the associated Navigator of nodeDocument’s global object.
-
Let embedderGeolocation be the
geolocation
of embedderNavigator. - Return the result of request a position with embedderGeolocation, successCallback, errorCallback, options, and whatchId.
-
Note: Other permissions will be monkey-patched similarly to geolocation. But the details are elided in this document for brevity.
3.7.13.4. [Console]
For Logger:
-
Otherwise, perform Printer(logLevel, Formatter(args)).
- Fire a "consolemessage" event with logLevel, Formatter(args).
Note: Console by default does not have association with document so we cannot track the associated HTMLControlledFrameElement
.
3.8. Integration with other specifications
This specification will make some modifications to specifications to accommodate the needs of Controlled Frame.
3.8.1. Monkey Patches
3.8.1.1. [HTML]
Each navigable has:
-
A frameId integer, initially 0.
-
A next frameId integer, initially 1.
-
An embedderParent, an
HTMLControlledFrameElement
or null.
The initialize the navigable algorithm given a navigable navigable and an optional navigable-or-null parent (default null) is monkey patched as follows:
-
Set navigable’s parent to parent.
-
If parent is not null (navigable is not a
top-level traversable), then:
- Let topLevelTraversable be the top-level traversable that navigable is a descendant of.
- Set navigable’s frameId to topLevelTraversable’s next frameId.
- Increment topLevelTraversable’s next frameId.
The update the current document readiness for Document
document to
readinessValue algorithm is monkey patched as follows:
-
Let runAt be the result of applying the following mapping to
readinessValue:
- "
loading
" - "
interactive
" - "
complete
"
- "
- Inject content scripts into a document given document and runAt.
-
Fire an event named
readystatechange
at document.
3.8.1.2. [FETCH]
The determine the network partition key algorithm is monkey extended to require double-keying on network requests originating from a Controlled Frame’s embedded navigable.
-
Let topLevelSite be the result of obtaining a site, given topLevelOrigin.
-
Let secondKey be null
or an implementation-defined value. - Let embedderParent be the result of getting an environment’s embedderParent given environment.
-
If embedderParent is not null, then set secondKey to a tuple
consisting of the top-level origin of embedderParent’s
relevant settings object, and embedderParent’s
partition
. -
Return (topLevelSite, secondKey).
3.8.1.3. [STORAGE]
Storage keys are re-defined as follows:
A storage key is a tuple consisting of an
embedding origin (an origin or null), a
partition (a DOMString
or null), and an
origin (an origin).
Note: This definition will need to be expanded to include the embedded content’s top-level origin in addition to origin in the future once storage partitioning is fully specified.
Note: Controlled Frame data is triple keyed with the origin of the document that owns the Controlled Frame element, not the top-level document that owns it.
The obtain a storage key for non-storage purposes algorithm is extended to
require double-keying on all storage belonging to a controlledframe
’s
embedded navigable.
-
Let origin be environment’s origin if environment is an environment settings object; otherwise environment’s creation URL’s origin.
-
Return a tuple consisting of origin. - Let topLevelOrigin and partition be null.
- Let embedderParent be the result of getting an environment’s embedderParent given environment.
-
If embedderParent is not null, then:
- Set topLevelOrigin to the top-level origin of embedderParent’s relevant settings object.
-
Set partition to embedderParent’s
partition
.
- Return a tuple consisting of topLevelOrigin, partition, and origin.
-
If environment is an environment settings object whose global object is a
Window
object, then:This algorithm doesn’t work for Shared or Service Workers because embedderParent is only defined on a navigable, and it’s not always possible to go from a non-
Window
environment to a navigable.-
Let navigable be environment’s global object’s navigable.
-
Let top be the top-level traversable of navigable.
-
If top’s embedderParent is not null, then return top’s embedderParent.
-
-
Return null.
4. Web Request API
enum {
ResourceType ,
"main-frame" ,
"sub-frame" ,
"stylesheet" ,
"script" ,
"image" ,
"font" ,
"object" ,
"xmlhttprequest" ,
"ping" ,
"csp-report" ,
"media" ,
"websocket" , };
"other" enum {
RequestedHeaders ,
"none" ,
"cors" , };
"all" dictionary {
WebRequestInterceptorOptions required sequence <(URLPattern or URLPatternInput )>;
urlPatterns sequence <ResourceType >= [];
resourceTypes boolean =
blocking false ;boolean =
includeRequestBody false ;RequestedHeaders = "none"; }; [
includeHeaders Exposed =Window ,IsolatedContext ]interface {
WebRequest WebRequestInterceptor createWebRequestInterceptor (WebRequestInterceptorOptions );
options Promise <undefined >interceptorBehaviorChanged (); }; [Exposed =Window ,IsolatedContext ]interface :
WebRequestInterceptor EventTarget {attribute EventHandler onauthrequired ;attribute EventHandler onbeforeredirect ;attribute EventHandler onbeforerequest ;attribute EventHandler onbeforesendheaders ;attribute EventHandler oncompleted ;attribute EventHandler onerroroccurred ;attribute EventHandler onheadersreceived ;attribute EventHandler onsendheaders ;attribute EventHandler onresponsestarted ; };enum {
DocumentLifecycle ,
"prerender" ,
"active" ,
"cached" , };
"pending-deletion" enum {
FrameType ,
"outermost-frame" ,
"fenced-frame" , }; [
"sub-frame" Exposed =Window ,IsolatedContext ]interface {
UploadData readonly attribute ArrayBuffer ?bytes ;readonly attribute DOMString ?file ; }; [Exposed =Window ,IsolatedContext ]interface {
RequestBody readonly attribute DOMString ?error ;readonly attribute any formData ;readonly attribute FrozenArray <UploadData >?raw ; }; [Exposed =Window ,IsolatedContext ]interface {
WebRequestRequest readonly attribute DOMString method ;readonly attribute DOMString id ;readonly attribute ResourceType type ;readonly attribute USVString url ;readonly attribute USVString ?initiator ;readonly attribute Headers ?headers ;readonly attribute RequestBody ?body ; }; [Exposed =Window ,IsolatedContext ]interface {
AuthChallenger readonly attribute DOMString host ;readonly attribute long port ; }; [Exposed =Window ,IsolatedContext ]interface {
WebRequestAuthDetails readonly attribute AuthChallenger challenger ;readonly attribute boolean isProxy ;readonly attribute DOMString scheme ;readonly attribute DOMString ?realm ; }; [Exposed =Window ,IsolatedContext ]interface {
WebRequestResponse readonly attribute long statusCode ;readonly attribute DOMString statusLine ;readonly attribute boolean fromCache ;readonly attribute Headers ?headers ;readonly attribute DOMString ?ip ;readonly attribute USVString ?redirectURL ;readonly attribute WebRequestAuthDetails ?auth ; }; [Exposed =Window ,IsolatedContext ]interface :
WebRequestEvent Event {readonly attribute WebRequestRequest request ;readonly attribute long frameId ;readonly attribute FrameType ?frameType ;readonly attribute DOMString ?documentId ;readonly attribute DocumentLifecycle ?documentLifecycle ;readonly attribute DOMString ?parentDocumentId ;readonly attribute long ?parentFrameId ; };dictionary {
WebRequestAuthCredentials required DOMString ;
username required DOMString ; };
password dictionary {
WebRequestAuthOptions AbortSignal ; }; [
signal Exposed =Window ,IsolatedContext ]interface :
WebRequestAuthRequiredEvent WebRequestEvent {readonly attribute WebRequestResponse response ;undefined setCredentials (Promise <WebRequestAuthCredentials >,
credentials optional WebRequestAuthOptions = {}); }; [
options Exposed =Window ,IsolatedContext ]interface :
WebRequestBeforeRedirectEvent WebRequestEvent {readonly attribute WebRequestResponse response ; }; [Exposed =Window ,IsolatedContext ]interface :
WebRequestBeforeRequestEvent WebRequestEvent {undefined redirect (USVString ); }; [
redirectURL Exposed =Window ,IsolatedContext ]interface :
WebRequestBeforeSendHeadersEvent WebRequestEvent {undefined setRequestHeaders ((Headers or HeadersInit )); }; [
requestHeaders Exposed =Window ,IsolatedContext ]interface :
WebRequestCompletedEvent WebRequestEvent {readonly attribute WebRequestResponse response ; }; [Exposed =Window ,IsolatedContext ]interface :
WebRequestErrorOccurredEvent WebRequestEvent {readonly attribute DOMString error ; }; [Exposed =Window ,IsolatedContext ]interface :
WebRequestHeadersReceivedEvent WebRequestEvent {readonly attribute WebRequestResponse response ;undefined redirect (USVString );
redirectURL undefined setResponseHeaders ((Headers or HeadersInit )); }; [
responseHeaders Exposed =Window ,IsolatedContext ]interface :
WebRequestResponseStartedEvent WebRequestEvent {readonly attribute WebRequestResponse response ; }; [Exposed =Window ,IsolatedContext ]interface :
WebRequestSendHeadersEvent WebRequestEvent {};
Each WebRequest
has an associated:
-
interceptors, which is a list of
WebRequestInterceptor
s, intially «».
Each WebRequestInterceptor
has an associated:
-
urlPatterns, which is a list of
URLPattern
s. -
resourceTypes, which is a list of
ResourceType
s. -
blocking, which is a boolean.
-
includeRequestBody, which is a boolean.
-
includeHeaders, which is a
RequestedHeaders
.
Each UploadData
has an associated:
Each RequestBody
has an associated:
-
error, which is a
DOMString
or null, initially null. -
formData, which is an
Object
or null, initially null. -
raw, which is a list of
UploadData
s or null, initially null.
Each WebRequestRequest
has an associated:
-
method, which is a
DOMString
. -
id, which is a
DOMString
. -
type, which is a
ResourceType
. -
url, which is a
USVString
. -
initiator, which is a
USVString
or null. -
headers, which is a
Headers
or null, initially null. -
body, which is a
RequestBody
or null, initially null.
Each AuthChallenger
has an associated:
Each WebRequestAuthDetails
has an associated:
-
challenger, which is an
AuthChallenger
.The
challenger
getter steps are to return this’s challenger. -
isProxy, which is a boolean.
-
scheme, which is a
DOMString
. -
realm, which is a
DOMString
or null.
Each WebRequestResponse
has an associated:
-
statusCode, which is a
long
.The
statusCode
getter steps are to return this’s statusCode. -
statusLine, which is a
DOMString
.The
statusLine
getter steps are to return this’s statusLine. -
fromCache, which is a boolean.
-
headers, which is a
Headers
or null, initially null. -
ip, which is a
DOMString
or null. -
redirectURL, which is a
USVString
or null, initially null.The
redirectURL
getter steps are to return this’s redirectURL. -
auth, which is a
WebRequestAuthDetails
or null, initially null.
Each WebRequestEvent
has an associated:
-
request, which is a
WebRequestRequest
. -
frameId, which is a
long
. -
frameType, which is a
FrameType
or null, initially null. -
documentId, which is a
DOMString
or null, initially null.The
documentId
getter steps are to return this’s documentId. -
documentLifecycle, which is a
DocumentLifecycle
or null, initially null.The
documentLifecycle
getter steps are to return this’s documentLifecycle. -
parentDocumentId, which is a
DOMString
or null, initially null.The
parentDocumentId
getter steps are to return this’s parentDocumentId. -
parentFrameId, which is a
long
or null, initially null.The
parentFrameId
getter steps are to return this’s parentFrameId.
Each WebRequestAuthRequiredEvent
has an associated:
-
response, which is a
WebRequestResponse
.
Each WebRequestBeforeRedirectEvent
has an associated:
-
response, which is a
WebRequestResponse
.
Each WebRequestCompletedEvent
has an associated:
-
response, which is a
WebRequestResponse
.
Each WebRequestErrorOccurredEvent
has an associated:
Each WebRequestHeadersReceivedEvent
has an associated:
-
response, which is a
WebRequestResponse
.
Each WebRequestResponseStartedEvent
has an associated:
-
response, which is a
WebRequestResponse
.
createWebRequestInterceptor(options)
method steps are:
-
Let interceptor be a new
WebRequestInterceptor
object. -
Set the following fields on interceptor:
- resourceTypes
-
options["
resourceTypes
"] - blocking
-
options["
blocking
"] - includeRequestBody
-
options["
includeRequestBody
"] - includeHeaders
-
options["
includeHeaders
"]
-
For each urlPattern in options["
urlPatterns
"]:-
If urlPattern is a
URLPattern
, then append urlPattern to interceptor’s urlPatterns. -
Otherwise, append a new
URLPattern
given urlPattern to interceptor’s urlPatterns.
-
-
Append interceptor to this’s interceptors.
-
Return interceptor.
interceptorBehaviorChanged(callback)
method steps are:
-
Let controlledframe be this.
-
In parallel, clear the HTTP cache associated with the partition used by environments embedded within the controlledframe
HTMLControlledFrameElement
.Note: The behavior of event handlers registered through the WebRequest API will be reflected in the HTTP cache, which will no longer be valid if the behavior of the event handlers changed. The purpose of this method is to invalidate any cache entries that were affected by WebRequest event handlers.
-
Invoke callback when the HTTP cache has been cleared.
WebRequestInterceptor
s for a request
request, run the following steps:
-
Let client be request’s client.
-
If client is null, return an empty list and
false
. -
Let window be the owning Window of an environment settings object given client.
-
If window is null then return an empty list and
false
. -
Let navigable be window’s node navigable.
-
If navigable’s embedderParent is null, return an empty list and
false
. -
Let controlledFrame be the
HTMLControlledFrameElement
corresponding to navigable’s embedderParent. -
Let applicableInterceptors be an empty list.
-
Let blocking be
false
. -
For each interceptor in controlledFrame’s request’s interceptors:
-
If request should not be intercepted by interceptor, then continue.
-
Append interceptor to applicableInterceptors.
-
If interceptor’s blocking is
true
, then set blocking totrue
.
-
-
Return applicableInterceptors and blocking.
WebRequestInterceptor
, run the following steps:
-
Let types be interceptor’s resourceTypes.
-
If types is not empty and types does not contain the result of calling get a request’s ResourceType given request, then return
false
. -
Let urlPatterns be interceptor’s urlPatterns.
-
For each urlPattern in urlPatterns:
-
If request’s URL matches a URLPattern given urlPattern, then return
true
.
-
-
Return
false
.
Window
of an environment settings object
given an environment settings object environment, run the
following steps:
-
Let global be environment’s global object.
-
If global is a
Window
object, then return global. -
If global is a
DedicatedWorkerGlobalScope
object, then:-
Let owner be global.
-
While owner is a
DedicatedWorkerGlobalScope
object:-
Let owner be owner’s owner set[0].
-
-
If owner is a
Document
object, then return owner’s relevant global object.
-
-
Return null.
4.1. Events
WebRequestInterceptor
fires the following events:
Event name | Interface | Fired when... |
---|---|---|
authrequired | WebRequestAuthRequiredEvent
| an intercepted request receives a response with an HTTP 401 (Unauthorized) 407 (Proxy Authentication Required) status. |
beforeredirect | WebRequestBeforeRedirectEvent
| an intercepted request receives a redirect response. |
beforerequest | WebRequestBeforeRequestEvent
| an intercepted request is about to start being processed. |
beforesendheaders | WebRequestBeforeSendHeadersEvent
| the request headers of an intercepted request are about to be sent. |
completed | WebRequestCompletedEvent
| an intercepted request completed. |
erroroccurred | WebRequestErrorOccurredEvent
| an error occurred when processing an intercepted request. |
headersreceived | WebRequestHeadersReceivedEvent
| an intercepted request receives response headers. |
sendheaders | WebRequestSendHeadersEvent
| an intercepted request sends its request headers. |
responsestarted | WebRequestResponseStartedEvent
| an intercepted request has begun receiving its response. |
WebRequestInterceptor
supports the following event handlers (and their
corresponding event handler event types) as event handler IDL attributes:
Event handlers | Event handler event types |
---|---|
onauthrequired
| authrequired |
onbeforeredirect
| beforeredirect |
onbeforerequest
| beforerequest |
onbeforesendheaders
| beforesendheaders |
oncompleted
| completed |
onerroroccurred
| erroroccurred |
onheadersreceived
| headersreceived |
onsendheaders
| sendheaders |
onresponsestarted
| responsestarted |
Each WebRequestAuthRequiredEvent
has an associated:
-
cancel, a boolean, initially
false
. -
authCredentials, a
Promise
<WebRequestAuthCredentials
> or null, initially null. -
options, a
WebRequestAuthOptions
, initially «».
WebRequestAuthRequiredEvent
’s
setCredentials(credentials, options)
method steps are:
-
Set this’s authCredentials to credentials.
Each WebRequestBeforeRequestEvent
has an associated:
WebRequestBeforeRequestEvent
’s
redirect(redirectURL)
method steps are to set this’s redirectURL
to redirectURL.
Each WebRequestBeforeSendHeadersEvent
has an associated:
WebRequestBeforeSendHeadersEvent
’s
setRequestHeaders(requestHeaders)
method steps are to set this’s
requestHeaders to requestHeaders.
Each WebRequestHeadersReceivedEvent
has an associated:
WebRequestHeadersReceivedEvent
’s
redirect(redirectURL)
method steps are to set this’s
redirectURL to redirectURL.
WebRequestHeadersReceivedEvent
’s
setResponseHeaders(responseHeaders)
method steps are to set this’s
responseHeaders to responseHeaders.
A WebRequestEvent result is a struct with the following items:
- cancel
-
a boolean, initially
false
- redirectURL
-
a
USVString
, initially "" - authCredentials
-
a
WebRequestAuthCredentials
or null, initially null - requestHeaders
-
a header list, initially «»
- responseHeaders
-
a header list, initially «»
-
Let interceptors and blocking be the result of getting the applicable WebRequestInterceptors of request.
-
Let result be a WebRequestEvent result.
-
Let pendingHandlerCount be interceptor’s size.
-
Let embedderGlobal be the relevant global object of the result of getting an environment’s embedderParent given request’s client.
-
For each interceptor in interceptors:
-
Let event be a new
WebRequestBeforeRequestEvent
named beforerequest. -
Populate a WebRequestEvent given event, request, and "
none
". -
If interceptor’s includeRequestBody is
true
and request’s body is not null, then:-
Let requestBody be a new
RequestBody
. -
Let body be request’s body.
TODO: serialize stream if present.
-
Switch on body’s source:
- byte sequence
-
Append a new
UploadData
with bytes equal to the serialized body’s source to requestBody’s raw. Blob
-
Append a new
UploadData
with bytes equal to the serialized body’s source to requestBody’s raw. FormData
-
-
Let formData be «[]».
-
For each entry in body’s source’s entry list:
-
Switch on entry[1]:
-
-
Set requestBody’s formData to formData.
-
-
-
Queue a global task on the DOM manipulation task source of embedderGlobal that will run the following steps:
-
Dispatch event to interceptor.
-
If event’s cancel is
true
, then set result’s cancel totrue
. -
If event’s redirectURL is not null and result’s redirectURL is "", then set result’s redirectURL to event’s redirectURL.
-
Decrement pendingHandlerCount.
-
-
-
If blocking is
true
, then wait in parallel for pendingHandlerCount to equal 0, then queue a global task on the networking task source of request’s client’s global object that will continue the remaining steps of this algorithm. -
Return result.
-
Let interceptors and blocking be the result of getting the applicable WebRequestInterceptors of request.
-
Let result be a WebRequestEvent result.
-
Let pendingHandlerCount be interceptor’s size.
-
Let embedderGlobal be the relevant global object of the result of getting an environment’s embedderParent given request’s client.
-
For each interceptor in interceptors:
-
Let event be a new
WebRequestBeforeSendHeadersEvent
named beforesendheaders. -
Populate a WebRequestEvent given event, request, and interceptor’s includeHeaders.
-
Queue a global task on the DOM manipulation task source of embedderGlobal that will run the following steps:
-
Dispatch event to interceptor.
-
If event’s cancel is
true
, then set result’s cancel totrue
. -
If event’s requestHeaders is not null, then:
-
If result’s requestHeaders is null, then set it to a new
Headers
. -
For each header in event’s requestHeaders:
-
Append header to result’s requestHeaders.
-
-
-
Decrement pendingHandlerCount.
-
-
-
If blocking is
true
, then wait in parallel for pendingHandlerCount to equal 0, then queue a global task on the networking task source of request’s client’s global object that will continue the remaining steps of this algorithm. -
Return result.
-
Let interceptors be the result of getting the applicable WebRequestInterceptors of request.
-
Let embedderGlobal be the relevant global object of the result of getting an environment’s embedderParent given request’s client.
-
For each interceptor in interceptors:
-
Let event be a new
WebRequestSendHeadersEvent
named sendheaders. -
Populate a WebRequestEvent given event, request, and interceptor’s includeHeaders.
-
Queue a global task on the DOM manipulation task source of embedderGlobal that will dispatch event to interceptor.
-
-
Let interceptors and blocking be the result of getting the applicable WebRequestInterceptors of request.
-
Let result be a WebRequestEvent result.
-
Let pendingHandlerCount be interceptor’s size.
-
Let embedderGlobal be the relevant global object of the result of getting an environment’s embedderParent given request’s client.
-
For each interceptor in interceptors:
-
Let event be a new
WebRequestHeadersReceivedEvent
named headersreceived. -
Populate a WebRequestEvent given event, request, and "
none
". -
Set event’s response to the result of creating a WebRequestResponse object given request, response, and interceptor’s includeHeaders.
-
Queue a global task on the DOM manipulation task source of embedderGlobal that will run the following steps:
-
Dispatch event to interceptor.
-
If event’s cancel is
true
, then set result’s cancel totrue
. -
If event’s redirectURL is not null and result’s redirectURL is "", then set result’s redirectURL to event’s redirectURL.
-
If event’s responseHeaders is not null, then:
-
If result’s responseHeaders is null, then set it to a new
Headers
. -
For each header in event’s responseHeaders:
-
Append header to result’s responseHeaders.
-
-
-
Decrement pendingHandlerCount.
-
-
-
If blocking is
true
, then wait in parallel for pendingHandlerCount to equal 0, then queue a global task on the networking task source of request’s client’s global object that will continue the remaining steps of this algorithm. -
Return result.
-
Let challenger be a new
AuthChallenger
with host and port equal to the host and port of response’s URL. -
If response’s status is 401, then:
-
Otherwise:
-
If scheme is null, then return null.
-
Let interceptors and blocking be the result of getting the applicable WebRequestInterceptors of request.
-
Let result be a WebRequestEvent result.
-
Let pendingHandlerCount be interceptor’s size.
-
Let embedderGlobal be the relevant global object of the result of getting an environment’s embedderParent given request’s client.
-
For each interceptor in interceptors:
-
Let event be a new
WebRequestAuthRequiredEvent
named authrequired. -
Populate a WebRequestEvent given event, request, and "
none
". -
Set event’s response to the result of creating a WebRequestResponse object given request, response, and interceptor’s includeHeaders.
-
Set event’s response’s auth to a new
WebRequestAuthDetails
whose challenger, isProxy, scheme, and realm fields have the values challenger, isProxy, scheme, and realm respectively. -
Queue a global task on the DOM manipulation task source of embedderGlobal that will run the following steps:
-
Dispatch event to interceptor.
-
Let credentials be event’s authCredentials.
-
If event’s cancel is
true
, then set result’s cancel totrue
. -
Otherwise, if credentials is a
Promise
, then:-
Let done be
false
. -
If signal is an
AbortSignal
, then add the following abort algorithm to signal:-
Set result’s cancel to
true
. -
Set done to
true
.
-
-
Upon fulfillment of credentials, run the following steps that take a resolvedValue:
-
If resolvedValue is a dictionary containing two keys equal to "username" and "password", and result’s authCredentials is undefined, then set result’s authCredentials to resolvedValue.
-
Set done to
true
.
-
-
Upon rejection of credentials, run the following steps:
-
Set done to
true
.
Note: A rejected promise will not cancel the request, but no credentials will be provided to the server.
-
-
Wait in parallel for done to equal
true
, then queue a global task on the DOM manipulation task source of embedderGlobal that will run continue the remaining steps of this algorithm.
-
Decrement pendingHandlerCount.
-
-
-
If blocking is
true
, then wait in parallel for pendingHandlerCount to equal 0, then queue a global task on the networking task source of request’s client’s global object that will continue the remaining steps of this algorithm. -
Return result.
-
Let interceptors be the result of getting the applicable WebRequestInterceptors of request.
-
Let embedderGlobal be the relevant global object of the result of getting an environment’s embedderParent given request’s client.
-
For each interceptor in interceptors:
-
Let event be a new
WebRequestBeforeRedirectEvent
named beforeredirect. -
Populate a WebRequestEvent given event, request, and "
none
". -
Set event’s response to the result of creating a WebRequestResponse object given request, response, and interceptor’s includeHeaders.
-
Let internalResponse be response, if response is not a filtered response; otherwise response’s internal response.
-
Set event’s response’s redirectURL to internalResponse’s location URL given request’s current URL’s fragment.
-
Queue a global task on the DOM manipulation task source of embedderGlobal that will dispatch event to interceptor.
-
-
Let interceptors be the result of getting the applicable WebRequestInterceptors of request.
-
Let embedderGlobal be the relevant global object of the result of getting an environment’s embedderParent given request’s client.
-
For each interceptor in interceptors:
-
Let event be a new
WebRequestResponseStartedEvent
named responsestarted. -
Populate a WebRequestEvent given event, request, and "
none
". -
Set event’s response to the result of creating a WebRequestResponse object given request, response, and interceptor’s includeHeaders.
-
Queue a global task on the DOM manipulation task source of embedderGlobal that will dispatch event to interceptor.
-
-
Let interceptors be the result of getting the applicable WebRequestInterceptors of request.
-
Let embedderGlobal be the relevant global object of the result of getting an environment’s embedderParent given request’s client.
-
For each interceptor in interceptors:
-
Let event be a new
WebRequestCompletedEvent
named completed. -
Populate a WebRequestEvent given event, request, and "
none
". -
Set event’s response to the result of creating a WebRequestResponse object given request, response, and interceptor’s includeHeaders.
-
Queue a global task on the DOM manipulation task source of embedderGlobal that will dispatch event to interceptor.
-
-
Let interceptors be the result of getting the applicable WebRequestInterceptors of request.
-
Let embedderGlobal be the relevant global object of the result of getting an environment’s embedderParent given request’s client.
-
For each interceptor in interceptors:
-
Let event be a new
WebRequestErrorOccurredEvent
named erroroccurred. -
Populate a WebRequestEvent given event, request, and "
none
". -
Set event’s error to an implementation-defined error message describing the error in response.
-
Queue a global task on the DOM manipulation task source of embedderGlobal that will dispatch event to interceptor.
-
WebRequestEvent
given a WebRequestEvent
event, a request request, and a RequestedHeaders
requestedHeaders, run the following steps:
-
Let environmentSettingsObject be request’s client.
-
Set the following fields on event:
- frameId
-
-1
-
Let window be the owning Window of an environment settings object given environmentSettingsObject.
-
If window is not null, then:
-
Update the following fields of event:
- documentId
-
environmentSettingsObject’s id.
- documentLifecycle
-
The result of getting the DocumentLifecycle of a Document given window’s associated document.
- frameId
- frameType
-
"fenced-frame"
if window’s browsing context’s fenced frame config instance is non-null,"outermost-frame"
if parentNavigable is null,"sub-frame"
otherwise.
-
If parentNavigable is not null, then update the following values of event:
- parentDocumentId
-
The id of parentNavigable’s active document’s relevant global object.
- parentFrameId
-
The frameId of parentNavigable.
-
Set event’s request to a new
WebRequestRequest
with the following fields:- url
-
The last element of request’s URL list.
- method
-
request’s method.
- initiator
-
The serialization of an origin given request’s origin.
Note: An opaque origin will result in initiator being set to the
DOMString
"null". - type
-
The result of calling get a request’s ResourceType given request.
- id
-
request’s requestId.
-
If requestedHeaders is not "
none
", then set event’s request’s headers to the result of calling convert a header list to a Headers object given request’s header list, requestedHeaders, and isRequest equal totrue
.
DocumentLifecycle
of a Document
document,
run the following steps:
-
If document’s unload counter > 0, then return "
pending-deletion
". -
If document’s node navigable is non-null and is a prerendering navigable, then return "
prerender
". -
If document is salvageable and does not have its page showing, return "
cached
". -
Return "
active
".
WebRequestResponse
object given a request
request, a response response, and a RequestedHeaders
requestedHeaders, run the following steps:
-
Let response be a new
WebRequestResponse
with the following fields:- statusCode
-
response’s status.
- statusLine
-
response’s status message.
- fromCache
-
true
if response’s cache state is "local",false
otherwise. - ip
-
The ip address from which response was received if the request involved a network request.
The [FETCH] spec currently doesn’t specify storing the remote IP address used when sending request.
-
If requestedHeaders is not "
none
", then set response’s headers to the result of calling convert a header list to a Headers object given response’s header list, requestedHeaders, and isRequest equal tofalse
. -
Return response.
Headers
object given
a header list fetchHeaders, a RequestedHeaders
requestedHeaders,
and a boolean isRequest, run the following steps:
-
For each fetchHeader in fetchHeaders:
-
If all of the following conditions are met, then continue:
-
isRequest is
true
-
requestedHeaders is "
cors
". -
fetchHeader is not a CORS-safelisted request-header
-
-
If all of the following conditions are met, then continue:
-
isRequest is
false
-
requestedHeaders is "
cors
". -
fetchHeader[0] is not a CORS-safelisted response-header name
-
-
Append fetchHeader to headers.
-
-
Return headers.
ResourceType
given a request
request, run the following steps:
-
If request’s url’s scheme equals
"ws"
or"wss"
, then return "websocket
". -
If request’s initiator equals
"fetch"
or"xmlhttprequest"
, then return "xmlhttprequest
". -
If request’s destination equals
"document"
, then return "main-frame
". -
If request’s destination equals
"frame"
or"iframe"
, then return "sub-frame
". -
If request’s destination equals
"style"
or"xslt"
, then return "stylesheet
". -
If request’s destination equals
"script"
,"json"
,"audioworklet"
,"paintworklet"
,"serviceworker"
,"sharedworker"
, or"worker"
, then return "script
". -
If request’s destination equals
"image"
, then return "image
". -
If request’s destination equals
"font"
, then return "font
". -
If request’s destination equals
"object"
or"embed"
, then return "object
". -
If request’s destination equals
"audio"
,"track"
, or"video"
, then return "media
". -
If request’s destination equals
"report"
, then return "csp-report
". -
If request’s destination equals
""
and request’s keepalive istrue
, then return "ping
". -
Return "
other
".
DOMString
redirectUrl,
return a response with the following fields:
- status
-
301
- header list
-
« ("Location", redirectUrl) »
4.2. Monkey Patches
4.2.1. Fetch
A request has an associated requestId, which is an opaque string, randomly assigned at the request’s creation.
The main fetch algorithm is monkey patched as follows:
-
Let request be fetchParams’s request.
-
Let response be null.
- Let webRequestResult be the result of calling process beforeRequest events given request.
-
If webRequestResult is not null, then:
-
If webRequestResult’s cancel is
true
, then set response to a network error. -
Otherwise, if webRequestResult’s redirectURL is not an empty
DOMString
, then set response to the result of creating a redirect response given webRequestResult’s redirectURL.
-
If webRequestResult’s cancel is
The fetch response handover algorithm is monkey patched as follows:
- If response is not a network error, then call process responseStarted events given fetchParams’s request and response.
-
Let timingInfo be fetchParams’s timing info.
⋮
-
If fetchParams’s process response consume body is non-null, then:
…
- If response is not a network error, then call process completed events given fetchParams’s request and response.
- Otherwise, call process errorOccurred events given fetchParams’s request and response.
The HTTP-network-or-cache fetch algorithm is monkey patched as follows:
-
Let the revalidatingFlag be unset.
- Set webRequestResult to the result of calling process beforeSendHeaders events given request.
-
If webRequestResult is not null, then:
-
If webRequestResult’s cancel is
true
, then set response to a network error. - Otherwise, if webRequestResult’s requestHeaders is a non-empty list, then set request’s header list to webRequestResult’s requestHeaders’s header list.
-
If webRequestResult’s cancel is
-
If response is not null,
run these steps, but abort when
fetchParams is canceled:
⋮
-
If aborted, then return the appropriate network error for fetchParams.
-
If response is null, then:
-
If httpRequest’s cache mode is "
only-if-cached
", then return a network error. - Call process sendHeaders events given request.
-
Let forwardResponse be the result of running HTTP-network fetch given httpFetchParams, includeCredentials, and isNewConnectionFetch.
- Let webRequestResult be the result of calling process headersReceived events given request and forwardResponse if forwardResponse is not a network error, null otherwise.
-
If webRequestResult is not null, then:
-
If webRequestResult’s cancel is
true
, then set response to a network error. -
Otherwise, if webRequestResult’s
redirectURL is not an empty
DOMString
, then set forwardResponse to the result of creating a redirect response given webRequestResult’s redirectURL. - Otherwise, if webRequestResult’s responseHeaders is a non-empty list, then set forwardResponse’s header list to webRequestResult’s responseHeaders’s header list.
-
If webRequestResult’s cancel is
-
⋮
-
If response’s status is 401, httpRequest’s response tainting is not "cors", includeCredentials is
true
, and request’s window is an environment settings object, then:⋮
-
If request’s use-URL-credentials flag is unset or isAuthenticationFetch is
true
, then:-
If fetchParams is canceled, then return the appropriate network error for fetchParams.
-
Let username and password be null.
- Let webRequestResult be the result of calling process authRequired events given request and response.
-
If webRequestResult is not null, then:
-
If webRequestResult’s cancel
is
true
, then set response to a network error. -
Otherwise, if webRequestResult’s authCredentials is an
object
, then:-
Set username to webRequestResult’s
authCredentials["
username
"]. -
Set password to webRequestResult’s
authCredentials["
password
"].
-
Set username to webRequestResult’s
authCredentials["
-
If webRequestResult’s cancel
is
- If username and password are null, then set them to the result of prompting the end user for a username and password, respectively, in request’s window.
-
-
-
If response’s status is 407, then:
- Let webRequestResult be the result of calling process authRequired events given request and response.
-
If webRequestResult is not null, then:
-
If webRequestResult’s cancel is
true
, then set response to a network error. -
Otherwise, if webRequestResult’s authCredentials is an
object
, then:- Store webRequestResult’s authCredentials as a proxy-authentication entry.
-
If webRequestResult’s cancel is
- Otherwise, prompt the end user as appropriate ...
The HTTP-redirect fetch algorithm is monkey patched as follows:
- Call process beforeRedirect events given request and response.
-
Let request be fetchParams’s request.
5. Context Menus API
enum {
ContextType ,
"all" ,
"page" ,
"frame" ,
"selection" ,
"link" ,
"editable" ,
"image" ,
"video" , };
"audio" enum {
ItemType ,
"normal" ,
"checkbox" ,
"radio" , };
"separator" dictionary {
ContextMenusProperties boolean ;
checked sequence <ContextType >;
contexts sequence <(URLPattern or URLPatternInput )>;
documentURLPatterns boolean ;
enabled DOMString ;
parentId sequence <(URLPattern or URLPatternInput )>;
targetURLPatterns DOMString ;
title ItemType ; };
type dictionary :
ContextMenusCreateProperties ContextMenusProperties {required DOMString ; }; [
id Exposed =Window ,IsolatedContext ]interface :
ContextMenus EventTarget {Promise <undefined >create (ContextMenusCreateProperties );
properties Promise <undefined >remove (DOMString );
id Promise <undefined >removeAll ();Promise <undefined >update (DOMString ,
id optional ContextMenusProperties = {});
properties attribute EventHandler onclick ;attribute EventHandler onshow ; }; [Exposed =Window ,IsolatedContext ]interface {
MenuItemDetails readonly attribute DOMString ;
id readonly attribute DOMString ?;
parentMenuId readonly attribute boolean ?;
checked readonly attribute boolean ?; }; [
wasChecked Exposed =Window ,IsolatedContext ]interface :
ContextMenusClickEvent Event {readonly attribute MenuItemDetails ; // Details about the frame the context menu is opened within.
menuItem readonly attribute long ;
frameId readonly attribute USVString ;
frameURL readonly attribute USVString ; // Details about the element the context menu is opened within the context of.
pageURL readonly attribute boolean ;
editable readonly attribute USVString ?;
linkURL readonly attribute DOMString ?;
mediaType readonly attribute DOMString ?;
selectionText readonly attribute USVString ?; };
srcURL
Each controlledframe
has a contextMenus
member, which is a ContextMenus
. Each ContextMenus
manages a
context menu map whose keys are
DOMString
s representing menu item ids, and whose values are
ContextMenusProperties
.
Each entry of the context menu map represents a
context menu item. A context menu item
represents an entry in a context menu. A
context menu item should be shown to the user as the result of
an implementation-defined action if determining whether the context menu item will be shown returns true
given the relevant controlledframe
and
HTMLElement
that the context menu was opened within,
and the context menu item’s ContextMenusProperties
.
Note: The appearance of a context menu is implementation-defined.
The values of the context menu map, which are
ContextMenusProperties
objects, control the conditions under which the
context menu items are displayed, as well as the features and behaviors
of the items.
ContextMenusProperties
has the following fields:
contexts
-
A list of different
ContextType
. If it is not empty, then the context menu item will not be shown unless the element that was clicked on to open the context menu equals one of the list items. If it is empty, then this check is ignored. documentURLPatterns
-
A list of
URLPattern
s orURLPatternInput
s. If it is not empty, then the context menu item will not be shown unless the URL of the embedded document matches a URLPattern with one of the list items. If it is empty, then this check is ignored. targetURLPatterns
-
A list of
URLPattern
s orURLPatternInput
s. If it is not empty, then the context menu item will not be shown unless the URL of the target of the context menu matches a URLPattern with one of the list items. If it is empty, then this check is ignored.
Note: Target is the "src" attribute of img/audio/video tags and the "href" of anchor tags.
parentId
-
The ID of the parent context menu item. The context menu item may appear under a sub-menu of the parent.
title
-
The title of the menu item. This is mandatory unless
type
is "separator
". type
-
The type of the menu item.
checked
-
Whether the context menu item is initially checked, if the
type
ischeckbox
. enabled
-
Whether the context menu item is enabled.
The create(properties)
method steps are:
-
Let p be a new promise.
-
Let controlledframe be this.
-
Return p and run the following steps in parallel.
-
Let contextMenusMap be controlledframe’s context menu map.
-
Let id be the properties["
id
"]. -
If contextMenusMap[id] exists, reject p with a
TypeError
and abort these steps. -
Set contextMenusMap[id] to properties.
-
Resolve an embedder promise given controlledframe and p.
The remove(id)
method steps are:
-
Let p be a new promise.
-
Let controlledframe be this.
-
Return p and run the following steps in parallel.
-
Let contextMenusMap be controlledframe’s context menu map.
-
Remove contextMenusMap[id].
-
Resolve an embedder promise given controlledframe and p.
The removeAll()
method steps are:
-
Let p be a new promise.
-
Let controlledframe be this.
-
Return p and run the following steps in parallel.
-
Let contextMenusMap be controlledframe’s context menu map.
-
Clear contextMenusMap.
-
Resolve an embedder promise given controlledframe and p.
The update(id, properties)
method steps are:
-
Let p be a new promise.
-
Let controlledframe be this.
-
Return p and run the following steps in parallel.
-
Let contextMenusMap be controlledframe’s context menu map.
-
If contextMenusMap[id] does not exist, reject p with a
TypeError
and abort these steps. -
Set contextMenusMap[id] to properties.
-
Resolve an embedder promise given controlledframe and p.
ContextType
s represent the context of a context menu, can be following values:
frame
-
Applies when the user context-clicks in a nested frame, such as an
iframe
. selection
-
Applies when part of the document is selected.
link
-
Applies when the user context-clicks on a link.
editable
-
Applies when the user context-clicks an editable element, like a
textarea
. image
-
Applies when the user context-clicks an image.
video
-
Applies when the user context-clicks a
video
element. audio
-
Applies when the user context-clicks an
audio
element. page
-
Applies when the user context-clicks in the page, but none of the other page contexts apply (for example, the click is not on an image or a nested iframe or a link).
all
-
Specifying all is equivalent to the combination of all other contexts.
To determine whether the context menu item will be shown
given a controlledframe
element controlledframe, an
HTMLElement
element, and a ContextMenusProperties
properties:
-
Let documentUrl be the URL of controlledframe’s embedded document.
-
Let targetUrl be an empty string.
-
If element is an instance of
HTMLImageElement
, then set targetUrl to thesrc
attribute of element. -
If element is an instance of
HTMLVideoElement
, then set targetUrl to thesrc
attribute of element. -
If element is an instance of
HTMLAudioElement
, then set targetUrl to thesrc
attribute of element. -
If element is an instance of
HTMLAnchorElement
, then set targetUrl to the href attribute of element. -
If properties["
contexts
"] is not empty:-
Let matchesContext be a boolean value that is initially
false
. -
For each context in properties["
contexts
"]:-
If element matches context, set matchesContext to
true
and break;ContextType
matching behavior isn’t specified, though the note above has some information on the desired behavior.
-
-
If matchesContext is
false
, returnfalse
.
-
-
If properties["
documentURLPatterns
"] is not empty:-
Let matchesDocumentUrl be a boolean value that is initially
false
. -
For each urlPattern in properties["
documentURLPatterns
"]:-
If urlPattern is a
URLPatternInput
, then set urlPattern to a newURLPattern
given urlPattern. -
If documentUrl matches a URLPattern, given urlPattern, then set matchesDocumentUrl to
true
and break;
-
-
If matchesDocumentUrl is
false
, returnfalse
.
-
-
If properties["
targetURLPatterns
"] is not empty:-
Let matchesTargetUrl be a boolean value that is initially
false
. -
For each urlPattern in properties["
targetURLPatterns
"]:-
If urlPattern is a
URLPatternInput
, then set urlPattern to a newURLPattern
given urlPattern. -
If targetUrl matches a URLPattern, given urlPattern, then set matchesTargetUrl to
true
and break;
-
-
If matchesTargetUrl is
false
, returnfalse
.
-
-
Return
true
.
Note: Different user agents may implement additional conditions.
5.1. Events
ContextMenus
fires the following events:
Event name | Interface | Fired when... |
---|---|---|
show | Event
| a context menu is displayed to the user. |
click | ContextMenusClickEvent
| a context menu item is selected by the user. |
ContextMenus
supports the following event handlers (and their
corresponding event handler event types) as event handler IDL attributes:
Event handlers | Event handler event types |
---|---|
onshow
| show |
onclick
| click |
When one or more of a ContextMenus
contextMenus’s context menu items are shown to the user, dispatch a show event to contextMenus.
When a context menu item item is selected by a user,
dispatch a click event given the ContextMenus
item
belongs to, the HTMLElement
inside the embedding document where the
context menu is opened at, and item.
ContextMenus
contextMenus, dispatch a new Event
named show to contextMenus.
ContextMenus
contextMenus, HTMLElement
element, and menuItem
as the context menu item that was clicked, run the following steps:
-
Let id be the key of the context menu map’s entry that is associated with menuItem.
-
Let properties be the result of getting the value of the entry in context menu map given the key id.
-
Let event be a new
ContextMenusClickEvent
named click. -
Set event["
menuItem
"] to a newMenuItemDetails
with the following fields:id
-
id.
parentMenuId
-
properties["
parentId
"]. checked
-
Whether the context menu item is checked.
wasChecked
-
The state of a checkbox or radio item before it was clicked.
-
Set the following fields of event:
frameId
-
The frameId of element’s node navigable.
frameURL
-
The URL of the element’s node navigable.
pageURL
-
The URL of the element’s traversable navigable.
editable
-
Whether the element selected is editable, such as a text input.
linkURL
-
If element is an instance of
HTMLAnchorElement
, element’s href attribute. mediaType
-
One of "image", "video", or "audio", if any, based on element.
selectionText
-
The text for the context selection, if any.
srcURL
-
The "src" attribute of element, if it exists.
-
Dispatch event at contextMenus.
6. Usage Overview
Lorem ipsum. Insert basic info and example here.
7. Motivating Applications
This section is non-normative.
7.1. Latency-sensitive applications in virtualized sessions
In virtualized environments, users typically have a local thin client that renders a full virtual desktop. The actual desktop execution environment will be running on a remote virtualization server. If the user’s browser navigates to a latency-sensitive application (such as a video app), the rendered content will have additional latency ("lag") that makes the experience difficult or impossible for the user. This also applies for applications that record the user, such as video conferencing applications. In these latency-sensitive applications, the virtual desktop application can render the latency-sensitive content locally and overlay it on top of the rendered remote content to reduce this latency. This use case is also known as "browser content redirection."
7.2. Embedding third party web content without restriction
In a kiosk environment, applications must load content from third parties and
display that content on screens within their applications. A teacher may trigger
the navigation event, or it may be configured by an administrator such as a
shopping mall manager. The content may prohibit embedding by iframe
through
the use of X-Frame-Options and CSP. An controlled frame, however, should be able
to load all content, even content that prohibits embedding by iframe
.
7.3. Remote display and manipulation of web content
In a kiosk environment, applications must ensure that content continues to display on screens and may need to interrupt content with their own supplied behaviors. This behavior should work without local attendance by an administrator, and ideally can be managed remotely over the network. If content were to crash, for example, these applications should observe and respond to the crash by reloading the content in a fresh embedded view.
7.4. Clearing user content after each session
In some environments, someone only uses a single device for a brief time to complete their task, like ordering in a restaurant. When their task is complete, the embedder application should be able to clear all of the local user data associated with the task and then restart the embedded instance.
7.5. Monitor for idle sessions
While users interact with embedded content, the user may not explicitly end their session. This content may assume the user is present when they have actually finished or departed without completing the task. Embedder applications want to detect when users idle over their case’s threshold and begin a fresh session.
7.6. Arbitrarily blocking navigations
While displaying embedded web content that’s not authored by the embedder, pages may link to third party web content that’s disallowed. Allowing the embedder to edit elements in embedded content through arbitrary script injection into the web content can ensure navigation cannot occur to blocked pages. The embedder can also use the Controlled Frame API to capture navigation events and ensure that only pages to approved sites can be loaded within that controlled frame.
8. Security, Privacy, and Accessibility Considerations
This section is non-normative.
8.1. Security
Controlled Frame is based upon [Isolated-Web-Apps] (IWA) and integrates with core security specs
Since Controlled Frame is a particularly powerful API, using it or even having it available makes an app a target of various types of hacking. As a result, this API is limited to use in IWA which have additional safeguards in place to protect application developers and users. The Isolated Web App explainer has this to say:
"A user agent may also force an application to adopt this threat model if the developer needs access to APIs which would make the application an appealing target for XSS or server-side attacks."
Controlled Frame makes just such an appealing target, and to expose this with caution we’re opting into IWA to guard against certain attacks. Generally, IWAs provide strong security assurances that each of the resources in an application are secure both at rest and in-transit. You can read more about IWAs security and permissions in the IWA explainer and the IWAs [High-Watermark-Permissions] explainer.
Controlled Frame integrates with [Permissions-Policy] and [Permissions]. You can read more about Permissions Policy § 12. Privacy and Security and Permissions § E Security considerations (note the entry is currently sparse).
Attacking web sites could display content that doesn’t otherwise allow itself to be embedded and trick users on non-IWAs.
Planned mitigation:
-
Controlled Frame will only be available within IWAs
An IWA may embed another IWA (or itself) via Controlled Frame to manipulate our IWA policies somehow (e.g. an Controlled Frame embedded IWA may detect it’s being embedded due to the absence of the "controlled-frame" policy-controlled feature).
Planned mitigation:
-
Controlled Frame can only point to "https" schemes, excluding the "isolated-app" scheme used for IWAs
Controlled Frame could gain access to the powerful <controlledframe> element.
An IWA that’s not expected to use Controlled Frame may attempt to embed content.
Planned mitigation:
-
IWA APIs can never be delegated to cross-origin, so it will not be possible for any nested top-level navigable to access an IWA.
-
Secondly, only embedder applications and their same-origin IWA child navigables that have been granted the "controlled-frame" policy-controlled feature will have the Controlled Frame element available.
-
Same-origin child navigables without the "controlled-frame" policy-controlled feature will not be provided a Controlled Frame element. Their inner same-origin nested navigables will always not have it available.
An IWA may attempt to embed content from non-https schemes, such as 'http:' or 'isolated-app:'
Planned mitigation:
-
Controlled Frame will only work when the navigable’s "src" URL has an 'https:' scheme.
Malicious Controlled Frame could access the embedder’s running process (eg. Spectre attack)
Planned mitigation:
-
Controlled Frame will be executed in a separate process from the embedder’s process
Controlled Frame for a given "https origin" could interact or interfere with the user’s own storage data for that https origin
Planned mitigation:
-
We’re adding a Partition concept. Every Partition is a tuple of StorageKey and a separate object key.
-
Let there be a default partition with key=0 that stores "non-IWA" window and tab usage.
-
Controlled Frame will always store data in a certain StorageKey which is apart from the default partition.
-
Data written to by a given "https origin" while the user accesses that origin via an IWA Controlled Frame will be isolated from the default partition.
-
All usage will be separated between IWA and each partition will be fully isolated from each other and from default usage outside of IWA.
Malicious Controlled Frame could overwrite embedder’s stored data
-
The embedder and embedded storage user agent could overlap, and possibly multiple same-site IWA child navigables could be affected by activity in the Controlled Frame
-
if storage user agents were shared between the embedder and embedded sites, clearing data for either one could negatively impact the other
Planned mitigation:
-
IWA and Controlled Frame will always have separate storage user agents
-
A Controlled Frame should not have read or write access to other storage user agents besides its own
Malicious Controlled Frame may detect it is embedded and attempt to attack the embedder application
Planned mitigation:
-
The user agent will match the browser.
-
The Controlled Frame storage user agent will be separate from the IWA and the default storage user agents.
-
The Controlled Frame process will be separate from the IWA and the default renderer and browser processes.
-
The Controlled Frame environment will appear to be the top-most navigable:
-
window should match window.parent and window.top
-
List of policy-controlled features and their disable/enable status should match the default for a navigable
-
Ideas:
-
Investigate for potential interactions around filesystem, quota storage, and localStorage APIs
User may not be able to verify the origin of the page being viewed in the Controlled Frame
Ideas:
-
Expose the origin to the user somehow, such as adding UI at the top of a Controlled Frame that displays the origin?
-
Have the IWA specify in the manifest the origins that they expect to access?
Controlled Frame may exploit vulnerabilities in out-of-date browser engine
Already addressed with:
-
Existing browser engine auto-update mechanisms
8.2. Privacy
Controlled Frame integrates with Permissions Policy and Permissions. You can read more about Permissions Policy § 12. Privacy and Security. You can read more about Permissions § E Security considerations.
For Controlled Frame specifically, we’ve identified the following privacy considerations:
-
Users' browsing within Controlled Frame will be visible to the IWA
-
IWAs can access and exfiltrate the Controlled Frame’s session cookies (this only applies to the Controlled Frame’s session since they use a separate storage partition from the IWA and the third party origin when browsed in a tab)
-
User activity in Controlled Frame can be observed by the IWA (e.g. keyboard events can be monitored, password entry can be sniffed)
-
User file upload to Controlled Frame can be hijacked
-
User data held in the Controlled Frame’s remote server could be accessed by code implanted by the IWA
-
Users that wish to clear their session history must also do so via the IWA, which will then need to clear the associated storage user agents
-
This would be necessary since embedded storage user agents are separate from the non-embedded storage user agents for any given https origin
-
-
We plan to investigate browser UX to allow users to clear the Controlled Frame storage user agents, the following cases will be considered:
-
If a user wants to clear site data for an IWA, the associated embedded storage user agents will also be cleared
-
This is because if the IWA’s data is cleared, the app will no longer have any context for the associated embedded storage user agents and therefore will no longer be used or useful to the user or organization
-
As a result, we expect that clearing an IWA’s site data will require clearing all of the associated embedded storage user agents
-
-
A user may want to clear all site data for a given "https origin", even if that origin is stored within an IWA’s embedded storage user agent
-
We may choose to provide the ability to clear all IWA site data for that "https origin" even if that site data is held within an embedded storage user agent
-
If we chose to clear the "https origin" data, IWAs would need to prepare for the possibility that embedded storage user agents may be removed outside of their control, and this may be disruptive to the IWA and introduce complexity of implementation
-
Supporting this in the browser user agent exposes browser vendors, developers, and users to additional complexity, so we may choose not to support this approach and instead leave this up to IWA developers to implement
-
As a counter example to supporting clearing a single given "https origin"'s embedded storage user agent, consider that to our knowledge no operating system behaves that way
-
i.e. there’s no central "clear browsing data" option which clears storage for all installed browser engines, each application’s storage is treated as its own to manage
-
-
-
User wants to clear the site data for a given IWA’s Controlled Frame-embedded storage user agent for a given "https origin"
-
User wants to clear the site data for a given IWA’s Controlled Frame-embedded storage user agents for all "https origins"
-
-
An IWA will need the ability to clear the storage user agent’s Controlled Frame-embedded storage user agent for a given "https origin"
8.3. Accessibility
For Controlled Frame, we’ve identified the following accessibility considerations:
-
Browser user agents' accessibility tools and APIs should have visibility into Controlled Frame
-
IWAs should expect to provide their own accessibility tools for Controlled Frame content in order to properly integrate accessibility features for some use cases (such as "browser content redirection")
9. Acknowledgements
The following people contributed to the development of this document.