Secure Contexts and Cross-Origin-Embedder-Policy

[annevk]

Related to #4921 by @shhnjk, @mystor pointed out that in addition to computing the origin way before we are ready to create a document, we also need to have the secure context state way before we are ready to have a settings object. This is particularly relevant for Cross-Origin-Embedder-Policy, which can work in a framed context, provided that frame is a secure context.

cc @mikewest

[yutakahirano]

We can check whether the url of the response is trustworthy. We can also check if the environment settings object is (or, will be) contextually secure. Which do you prefer?

Chrome implements the former.

[annevk]

@yutakahirano I suspect we want to emulate the COOP check which checks both the URL and response's HTTP state (in case it's deprecated). (And perhaps we want to abstract it to make it clear they share the same logic.)

[yutakahirano]

Something like this?

• A response response is called trustworthy when
  1. response's URL's scheme is 'https', and response's URL is trustworthy, and response's HTTPS state is 'modern', or
  2. response's URL's scheme is not 'https', and response's URL is trustworthy.
• To obtain a cross-origin opener policy given a response response and an environment reservedEnvironment:
  1. If reservedEnvironment is a non-secure context, then return "unsafe-none".
  2. If response is not trustworthy, then return "unsafe-none".
  3. ...
• To obtain an embedder policy from a response response:
  1. If response is not trustworthy, then return "unsafe-none".
  2. ...

[annevk]

Hmm, I see the dilemma. COEP doesn't always have an environment settings object at hand currently. I would suggest we try to find one though and use that to decide. Basing it solely on the response would seem to miss some cross-window-named targeting scenarios, although maybe they are ruled out and that's unclear due to #313?