Fenced frame

Draft Community Group Report,

This version:
https://wicg.github.io/fenced-frame/
Editor:
Dominic Farolino (Google)
Participate:
GitHub WICG/fenced-frame (new issue, open issues)
Commits:
GitHub spec.bs commits

Abstract

The fenced frame enforces a boundary between the embedding page and the cross-site embedded document such that user data visible to the two sites is not able to be joined together.

Status of this document

This specification was published by the Web Platform Incubator Community Group. It is not a W3C Standard nor is it on the W3C Standards Track. Please note that under the W3C Community Contributor License Agreement (CLA) there is a limited opt-out and other conditions apply. Learn more about W3C Community and Business Groups.

1. The fencedframe element

Categories:
Flow content.
Phrasing content.
Embedded content.
Interactive content.
Palpable content.
Contexts in which this element can be used:
Where embedded content is expected.
Content model:
Nothing.
Content attributes:
Global attributes
src — Address of the resource
width — Horizontal dimension
height — Vertical dimension
Accessibility considerations:

TODO

DOM interface:
[Exposed=Window]
interface HTMLFencedFrameElement : HTMLElement {
  [HTMLConstructor] constructor();

  [CEReactions] attribute USVString src;
  [CEReactions] attribute DOMString width;
  [CEReactions] attribute DOMString height;
};


The fencedframe element represents a TODO: Wire up the browsing context "mode" that is being worked on in WICG/nav-speculation so we can have something like a nested top-level browsing context.

The src attribute TODO.

The src IDL attribute must reflect the respective content attribute of the same name.

1.1. Dimension attributes

This section details monkeypatches to [HTML]'s Dimension attributes section. This section will be updated to include fencedframe in the list of elements that the width and height dimension attributes apply to.

1.2. New fencedframe request destination

Every distinct element should have its own request destination to allow for special handling when making requests (fenced frame request behavior deviates from iframe behavior in enough ways to justify having a separate destination). Update the associated request destination list to include a new entry, "fencedframe". It will have the initiator "", the CSP directive fenced-frame-src, and the features HTML’s <fencedframe>.

Add "fencedframe" to the non-subresource request list and to the navigation request list.

Add "fencedframe" to the RequestDestination enum.

In the fetch algorithm, step 13.2, where it says:

A user agent should set value to the first matching statement, if any, switching on request’s destination:

Add "fencedframe" to the switch cases alongside "document", "frame", and "iframe".

1.3. Patching Cross-Origin Resource Policy Internal Check

In [Fetch]'s cross-origin resource policy internal check steps, in the step

  1. Switch on policy:

Where it currently states

If origin is same origin with response’s URL’s origin, then return allowed.

Modify it to say

If origin is same origin with response’s URL’s origin, and destination is not "fencedframe", then return allowed.

Index

Terms defined by this specification

Terms defined by reference

References

Normative References

[Fetch]
Anne van Kesteren. Fetch Standard. Living Standard. URL: https://fetch.spec.whatwg.org/
[HTML]
Anne van Kesteren; et al. HTML Standard. Living Standard. URL: https://html.spec.whatwg.org/multipage/
[URL]
Anne van Kesteren. URL Standard. Living Standard. URL: https://url.spec.whatwg.org/
[WEBIDL]
Edgar Chen; Timothy Gu. Web IDL Standard. Living Standard. URL: https://webidl.spec.whatwg.org/

IDL Index

[Exposed=Window]
interface HTMLFencedFrameElement : HTMLElement {
  [HTMLConstructor] constructor();

  [CEReactions] attribute USVString src;
  [CEReactions] attribute DOMString width;
  [CEReactions] attribute DOMString height;
};