address PR comments

WICG · Apr 24, 2024 · 6c4dc31 · 6c4dc31
1 parent a8ffd6e
commit 6c4dc31
Showing 1 changed file with 7 additions and 7 deletions.
diff --git a/spec.bs b/spec.bs
@@ -467,16 +467,16 @@ Moreover, each {{SharedStorageWorklet}}'s [=global scopes|list of global scopes=
  Note: For shared storage, redirects are disallowed for the module script request. With this restriction, it's possible to define and to use the algorithm that gets the |realm|'s [=realm/settings object=]'s [=environment settings object/origin=] (as described in [[#set-up-a-worklet-environment-settings-object-monkey-patch]]) as soon as the {{SharedStorageWorkletGlobalScope}} is created, as the origin won't change. This restriction may be removed in a future iteration of the design. If redirects become allowed, presumably, the algorithm that gets the |realm|'s [=realm/settings object=]'s [=environment settings object/origin=] should be updated to return the final request's [=request/URL=]'s [=url/origin=] after receiving the final request's response, and the user preference checkings shall only be done after that point.
 
  ### Monkey Patch for [=HTTP fetch=] ### {#http-fetch-monkey-patch}
- The following step will be added to the [=HTTP fetch=] steps, before checking the redirect status (i.e. "If |actualResponse|'s status is a redirect status, ..."):
+ The following step will be added to the [=HTTP fetch=] steps, before checking the redirect status (i.e. "6. If |internalResponse|'s status is a redirect status, ..."):
 
  1. If |request|'s [=request/destination=] is "sharedstorageworklet":
- 1. [=Assert=]: |request|'s [=request/client=] is not null.
- 1. If |request|'s [=request/client=]'s [=environment settings object/origin=] and |request|'s [=request/URL=]'s [=url/origin=] are not [=same origin=]:
- 1. Let |list| be |actualResponse|'s [=response/header list=].
- 1. Let |allowed| be the result of running [=get a structured field value=] algorithm given "Shared-Storage-Cross-Origin-Worklet-Allowed", "item", and |list| as input.
+ 1. [=Assert=]: |request|'s [=request/origin=] is not "<code>client</code>".
+ 1. If |request|'s [=request/origin=] and |request|'s [=request/URL=]'s [=url/origin=] are not [=same origin=]:
+ 1. Let |headers| be |internalResponse|'s [=response/header list=].
+ 1. Let |allowed| be the result of running [=get a structured field value=] algorithm given "Shared-Storage-Cross-Origin-Worklet-Allowed", "item", and |headers| as input.
  1. If |allowed| is false, then return a [=network error=].
 
- Note: The website that serves the module script must carefully consider the security risks: when the module script's [=/URL=]'s [=url/origin=] and the worklet's creator {{Window}} origin are not [=same origin=], by sending permissive CORS headers and the "Shared-Storage-Cross-Origin-Worklet-Allowed" header on the module script response, the server will be granting the worklet's creation and subsequent operations on the worklet. For example, the worklet's creator {{Window}} could poison and use up the worklet origin's [=remaining navigation budget=] by calling {{SharedStorageWorklet/selectURL()}} or {{SharedStorageWorklet/run()}}, where the worklet origin is the global scope's [=global object/realm=]'s [=realm/settings object=]'s [=environment settings object/origin=].
+ Note: It is the responsibility of the site serving the module script to carefully consider the security implications: when the module script's [=/URL=]'s [=url/origin=] and the worklet's creator {{Window}} origin are not [=same origin=], by sending permissive CORS headers and the "Shared-Storage-Cross-Origin-Worklet-Allowed" header on the module script response, the server will be granting the worklet's creation and subsequent operations on the worklet. For example, the worklet's creator {{Window}} could poison and use up the worklet origin's [=remaining navigation budget=] by calling {{SharedStorageWorklet/selectURL()}} or {{SharedStorageWorklet/run()}}, where the worklet origin is the global scope's [=global object/realm=]'s [=realm/settings object=]'s [=environment settings object/origin=].
 
  ### Monkey Patch for {{Worklet/addModule()}} ### {#add-module-monkey-patch}
 
@@ -515,7 +515,7 @@ Moreover, each {{SharedStorageWorklet}}'s [=global scopes|list of global scopes=
 
  ### Monkey Patch for request [=request/destination=] ### {#request-destination-monkey-patch}
 
- The fetch request's [=request/destination=] field should additionally include the "sharedstorageworklet" option.
+ The fetch request's [=request/destination=] field should additionally include "sharedstorageworklet" as a valid value.
 
  <xmp class='idl'>
  callback RunFunctionForSharedStorageSelectURLOperation = Promise<unsigned long>(sequence<USVString> urls, optional any data);