[COOP] Unable to reconcile html/cross-origin-opener-policy/coop-same-origin-allow-popups-document-write.html with the specification

[cdumez]

In html/cross-origin-opener-policy/coop-same-origin-allow-popups-document-write.html:
Document A has COOP=same-origin-allow-popups
Document A calls window.open() (Let's call Document B, the document in openee)
Document A calls document.write() on Document B, adding a <meta http-equiv="refresh"> to navigate the popup cross-origin and with coop=unsafe-none.

The test does not expect the refresh navigation to swap browsing context group and I am unable to figure out why from the specification.

Because Document A has COOP=same-origin-allow-popup, I believe Document B inherits COOP=same-origin-allow-popup as well before the document.write().

Then document.write() is called and as per the document write steps, we would call the document open steps. Step 13 of the document open steps says:

Set document's is initial about:blank to false.

So then the navigation from occurs in the popup, activeCOOP=same-origin-allow-popup and isInitialAboutBlank=false when we call the check browsing context group switch coop value steps, I believe:

• isInitialAboutBlank=false
• activeDocumentCOOPValue=same-origin-allow-popups
• responseCOOPValue=unsafe-none

From my reading of the specification, this SHOULD cause a browsing context group switch because isInitialAboutBlank=false, due to the earlier call to document.write(). However, this is not what the test expects or Chrome's behavior.

What am I missing?

[cdumez]

cc @camillelamy

[cdumez]

cc @ArthurSonzogni who I think was involved in the WPT test (https://bugs.chromium.org/p/chromium/issues/detail?id=1216244)

[domenic]

/cc @rakina since it involves her favorite thing, the initial about:blank and document.write().

My totally uneducated guess is that Chrome's notion of is initial about:blank isn't fully synced between our renderer and browser processes, so it doesn't properly get the signal of isInitialAboutBlank = false.

[ArthurSonzogni]

Your reading of the spec is perfectly correct!

I initially thought this behavior was a bug in Chrome when I received bugs and wrote this regression test... Swapping browsing context group because of document.write is indeed the consequence of the specification.

There are issues with websites using the closure library. This library causes window.open(url) to translate into w = window.open() followed by a w.contentDocument.write('location = ${url}'). The goal of the library was to strip the referrer from the navigation request. This is a problem, because this prevented COOP:same-origin-allow-popup to allow the popup.
You can read:
https://bugs.chromium.org/p/chromium/issues/detail?id=1216244
to get more informations.

I think what is needed now is to invert the expectations. We should also probably fill a bug against the closure library so that they could maybe provide an alternative implementation.

[rakina]

This might be a really good time to separate "is initial about:blank"-ness by use cases, which we discussed here, but only for "window reuse" vs "history replacement".

Currently document.write() removes the "initial about:blank"-ness of the document, which I suspect is to ensure that the document will be retained in session history (because otherwise the next navigation will replace the initial empty document's entry). The next navigation won't reuse the window too (if it was still marked as the initial empty document, the next navigation will reuse the window, see spec and issue).

The current references to "is initial about blank" and "still on its initial about:blank" are all about those two cases (history & window reuse), except for the COOP case discussed here.

For this use case, I think we have a few options:

• Have another "initial about:blank" state that isn't affected by document.write()
• Keep using the "initial about:blank" state as it is right now, but ensure that current usages can handle this?
• Reconsider whether we want to use "initial about:blank" state for the COOP case at all. Maybe we want something like "is this the first navigation that happened/triggered on this frame" or something like that instead, to ensure we are enforcing the policy correctly?

[camillelamy]

So the end goal of the initial about:blank check for COOP same-origin-allow-popups is the following:

1. That the COOP same-origin-allow-popups page can open popups without browsing context group switches.
2. That a navigation from an existing page with COOP same-origin-allow-popups to another document with a different origin and/or COOP triggers a browsing context group switch.

At the same time, we also need popups to inherit their COOP from the opener, at least if they are same-origin. So we ended up with checking the initial about:blankness. I don't really think we have a better choice here - as I do believe that using document.write on the initial about blank document does put the subsequent navigation into case 2 of the above.

We should update the test to match the spec expectations and file a bug against libraries using this mechanism.

[ArthurSonzogni]

We should update the test to match the spec expectations and file a bug against libraries using this mechanism.

Will do both soon.

[ArthurSonzogni]

Will do both soon.

Done:

• COOP:SOAP vs document.write update expecations. web-platform-tests/wpt#30049
• goog.window.open with "no-referrer" should stop using document.write, because of COOP:same-origin-allow-popup. google/closure-library#1137

I guess this issue is now resolved.

[domenic]

Thanks all for the followup here!

[cdumez]

Following up in web-platform-tests/wpt#30243 because I don't think the WPT test is entirely correct.