Replace request's "window" with "traversable for user prompts" #1823

domenic · 2025-05-09T06:14:59Z

After much discussion in #1820 and #1821, this seems to be more correct. User prompts are not tied to specific Windows, and certainly not to the client's Window. They are tied to a traversable navigable, i.e. "browser tab", and that browser tab should ideally be blanked out and updated to reflect that it's the destination that's causing the prompt, not the request client.

Closes #1820. Closes #1821. Helps whatwg/html#11250 specify browser-initiated navigations better.

At least two implementers are interested (and none opposed):
- This seems to match all browser behavior.
Tests are written and can be reviewed and commented upon at:
- Not really testable in WPT, due to Testing browser-initiated navigation. web-platform-tests/wpt#16019 I believe.
Implementation bugs are filed:
- Chromium: N/A
- Gecko: N/A, although maybe a bug to encourage the blanking-out behavior would be appreciated?
- WebKit: N/A, although maybe a bug to encourage the blanking-out behavior would be appreciated?
- Deno (not for CORS changes): N/A
MDN issue is filed: N/A
The top of this comment includes a clear commit message to use.

(See WHATWG Working Mode: Changes for more details.)

Places to update, from https://dontcallmedom.github.io/webdex/w.html#window%40%40request%40dfn:

Private Aggregation API: Do not set request's window patcg-individual-drafts/private-aggregation-api#182
Topics API Do not use request's window concept patcg-individual-drafts/topics#390
Attribution Reporting Do not set request's window WICG/attribution-reporting-api#1519
Shared Storage API Do not use request's window concept WICG/shared-storage#235
Content Security Policy 3 Switch from request's window to traversable for user prompts w3c/webappsec-csp#724
Federated Credential Management API Do not set request's window w3c-fedid/FedCM#723
Permissions Policy Do not use request's window concept w3c/webappsec-permissions-policy#565
WebDriver BiDi Do not use request's window concept w3c/webdriver-bidi#918

Preview | Diff

After much discussion in #1820 and #1821, this seems to be more correct. Closes #1820. Closes #1821. Helps whatwg/html#11250 specify browser-initiated navigations better.

annevk

This looks good to me modulo some comments. @ricea and @noamr are maybe willing to review this too.

annevk · 2025-05-09T14:03:23Z

fetch.bs

-<a for="environment settings object">global object</a> is a
-{{Window}} object). Unless stated otherwise it is
-"<code>client</code>".
+<dfn export for=request id=concept-request-window>traversable for user prompts</dfn>, that is


I'm trying to write out "end user" where I can myself. I'm not actually sure where we are consistency-wise, but is that something we can strife for? I'm happy to document it as the term to use.

Hmm, why? It seems excessively verbose...

Well, it's only four additional characters. Still shorter than implementer. "Person who operates the computer" might qualify for excessively verbose. 😛

To me it sounds a bit nicer and feels more respectful.

I dunno, it seems a lot of churn across the ecosystem, and causes me to wonder "what's the difference between an end user and a user"? (Or is it "end-user"?)

I don't really understand the more respectful bit either.

In case it helps, after all the PRs linked in the OP land, only one spec (Permissions Policy) will actually use "traversable for user prompts", so it'd be pretty easy to change later if we do decide on a larger ecosystem movement from user -> end user.

I think https://datatracker.ietf.org/doc/html/rfc8890 captures best why I'd like to make this change, though arguably you could try to define "user" in the same way.

Anyway, happy to drop this for now.

annevk · 2025-05-09T14:04:40Z

fetch.bs

+agent should avoid displaying content from the request's initiator in the
+<a for=request>traversable for user prompts</a>, especially in the case of cross-origin requests.
+Displaying a blank page behind such prompts is a good way to fulfill these requirements. Failing to
+follow these guidelines can confuse users as to which origin is responsible for the prompt.


Suggested change

follow these guidelines can confuse users as to which origin is responsible for the prompt.

follow these guidelines can confuse end users as to which origin is responsible for the prompt.

fetch.bs

annevk · 2025-05-09T14:08:04Z

fetch.bs

+    <var>httpFetchParams</var> to <var>fetchParams</var> and <var>httpRequest</var> to
+    <var>request</var>.
+
+    <p class=note>If user prompts are possible, then we need to clone <var>request</var> because ???


Because it's one of the scenarios where we might have to repeat request.

I added that, although I'm not 100% sure I understand when that would happen. Who gets the request the first time, and who gets it the second time? Does this occur for all 3 possible prompt causes (WWW-Authenticate, PACs, and TLS client certs) or just some of them?

It happens when you do a request and the server returns a challenge. Then you have to repeat the request addressing the challenge. This happens with HTTP authentication at least. I'm not sure about client certificates as they happen at the TLS level, so maybe not?

Right, OK, I think I forgot some details. But to recap:

Clients optimistically send the body to the server before getting the response headers back.

Certain response headers mean you need to restart the entire request, with a new set of request headers.

Let me see if I can tweak the wording here to make it a bit more obvious, without necessarily restating too much...