[Spec] Network revocation patches for WebSocket and WebTransport APIs

spec.bs

@@ -269,6 +269,18 @@ spec: attribution-reporting; urlPrefix: https://wicg.github.io/attribution-repor
 spec: turtledove; urlPrefix: https://wicg.github.io/turtledove/
   type: dfn
     text: construct a pending fenced frame config; url: construct-a-pending-fenced-frame-config
+spec: RFC6455; urlPrefix: https://datatracker.ietf.org/doc/html/rfc6455
+  type: dfn
+    text: fail the WebSocket connection; url: #section-7.1.7
+spec: WebSocket; urlPrefix: https://websockets.spec.whatwg.org/
+  type: dfn
+    text: establish a WebSocket connection; url: #concept-websocket-establish
+spec: WebTransport; urlPrefix: https://w3c.github.io/webtransport
+  type: dfn
+    for: WebTransport
+      text: cleanup; url: #webtransport-cleanup
+      text: queue a network task; url: #webtransport-queue-a-network-task
+    text: initialize WebTransport over HTTP; url: #initialize-webtransport-over-http
 </pre>
 
 <style>
@@ -2003,6 +2015,16 @@ Several APIs specific to fenced frames are defined on the {{Fence}} interface.
 
   1. Let |settings| be [=this=]'s [=relevant settings object=].
 
+  1. [=list/For each=] {{WebSocket}} object |webSocket| whose [=relevant global object=] is
+     |global|, run [=fail the WebSocket connection=] given |webSocket|.
+
+  1. [=list/For each=] {{WebTransport}} object |webTransport| whose [=relevant global object=] is
+     |global|, [=WebTransport/cleanup=] |webTransport| with a newly [=exception/create|created=]
+     {{WebTransportError}} whose {{WebTransportErrorOptions/source}} is `"session"`.
+
+     Note: Not passing in a {{WebTransportCloseInfo}} ensures that the {{WebTransport}} object is
+     set to the `"failed"` state rather than the `"closed"` state.
+
   1. Run the following steps [=in parallel=]:
 
      1. Let |fencedFrameNonce| be |instance|'s [=fenced frame config instance/partition nonce=].
@@ -2120,6 +2142,8 @@ Issue: This will require a RFC to add a test-only function to the WPT web driver
   instance/partition nonce=] |nonce| given a [=relevant settings object=] |settings|, run these
   steps:
 
+  1. [=Assert=]: this is running [=in parallel=].
+
   1. [=set/Append=] |nonce| to the user agent's [=network revocation nonce set=].
 
   1. [=fetch group/terminated|Terminate=] |settings|'s [=fetch/fetch group=].
@@ -2139,7 +2163,19 @@ Issue: This will require a RFC to add a test-only function to the WPT web driver
   1. Return <b>allowed</b>.
 </div>
 
-<h3 id=disable-fetch>Fetch monkeypatches for network revocation</h3>
+<h3 id=disable-monkeypatches>Monkeypatches for network revocation</h3>
+
+*This introductory section is non-normative.*
+
+The network revocation mechanism in this section requires patching standards that make network
+requests. Before our patches, these standards make network requests (such as initiate WebSocket
+connections) while unaware of the network revocation status of the context that ultimately initiated
+the request. Our patches add checks to the algorithm in those standards to consider the network
+revocation status of the initiating context before the request is made. For more information, there
+are non-external WPTs that test these various APIs that [can be found
+here](https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/web_tests/wpt_internal/fenced_frame/).
+These are currently not external simply because the network revocation feature has not launched yet.
+Once launched, they will be published to the WPT repo.
 
 The network revocation mechanism requires the following monkeypatches to the [[FETCH]] Standard.
 
@@ -2161,7 +2197,37 @@ The network revocation mechanism requires the following monkeypatches to the [[F
   (<a href="https://github.com/WICG/fenced-frame/issues/191">WICG/fenced-frame#191</a>)
 </div>
 
-The network revocation mechanism requires the following monkeypatches to the [[HTML]] Standard.
+The network revocation mechanism requires the following monkeypatch to the [[WebSockets]]
+Standard.
+
+<div algorithm=establish-websocket-patch>
+  Modify the [=establish a WebSocket connection=] algorithm. Add a new step after step 10 that
+  reads:
+
+  11. If the result of running [=determine if a navigable has revoked network for itself=] given
+      <var ignore>client</var>'s [=environment settings object/global object=]'s
+      [=Window/navigable=] is true, [=fail the WebSocket connection=].
+</div>
+
+The network revocation mechanism requires the following monkeypatch to the [[WebTransport]]
+Standard.
+
+<div algorithm=initialize-webtransport-patch>
+  Modify the [=initialize WebTransport over HTTP=] algorithm. Rewrite step 5 (keeping all substeps
+  unchanged) to read:
+
+  5. If any of the following conditions are true:
+
+     - Running [=should request be blocked by Content Security Policy?=] with |request| returns
+       **"Blocked"**;
+     - Running [=should request be blocked due to a bad port=] with |request| returns **"blocked"**;
+     - Running [=determine if a navigable has revoked network for itself=] given <var
+       ignore>client</var>'s [=environment settings object/global object=]'s [=Window/navigable=]
+       returns true;
+
+     then abort the remaining steps and [=WebTransport/queue a network task=] with
+     <var ignore>transport</var> to run these steps:
+</div>
 
 <h3 id=new-request-destination>New [=request=] [=request/destination=]</h3>
 
@@ -2198,16 +2264,25 @@ table](https://fetch.spec.whatwg.org/#destination-table) to illustrate that <{fe
 
 <h3 id=gating-methods-on-network-revocation>Gating methods on network revocation</h3>
 
-*This first introductory paragraph is non-normative.*
+*This introductory section is non-normative.*
 
 After a fenced frame has fully disabled untrusted network access, meaning the {{Promise}} returned
 by {{Fence/disableUntrustedNetwork()}} has [=resolved=], certain powerful interface methods will
 become available to script which executes inside of the fenced frame. These methods are defined in
-other specifications, which will use the below algorithm to determine if invocation can occur
+other specifications, which will use the first algorithm below to determine if invocation can occur
 successfully. One example of a method which is gated behind revocation of untrusted network access
 is {{SharedStorage/get()}} when invoked outside of a {{SharedStorageWorklet}}. This method is
 defined in the [[Shared-Storage]] draft specification.
 
+In the intermediate state where {{Fence/disableUntrustedNetwork()}} has been called but the returned
+{{Promise}} has not [=resolved=] yet, there are restrictions on features that involve making
+requests over the network. The second algorithm below is used to determine whether those features
+are allowed.
+
+We make the distinction between "fully revoked" and "revoked for self"
+because nested fenced frame trees might still have network access, and these restrictions will not
+apply to them until they have invoked {{Fence/disableUntrustedNetwork()}} as well. 
+
 <div algorithm>
   To <dfn export>determine if a navigable has fully revoked network</dfn> given a [=navigable=] 
   |navigable|:
@@ -2224,6 +2299,22 @@ defined in the [[Shared-Storage]] draft specification.
   1. Return true.
 </div>
 
+<div algorithm>
+  To <dfn>determine if a navigable has revoked network for itself</dfn> given a [=navigable=] 
+  |navigable|:
+
+  1. If |navigable|'s [=navigable/traversable navigable=] is not a [=fenced navigable
+     container/fenced navigable=], return false.
+
+  1. Let |config| be |navigable|'s [=navigable/active browsing context=]'s [=browsing
+     context/fenced frame config instance=].
+
+  1. If |config|'s [=fenced frame config instance/untrusted network status=] is [=untrusted network
+     status/enabled=], return false.
+
+  1. Return true.
+</div>
+
 <h3 id=automatic-reporting>Automatic Reporting</h3>
 
 *This first introductory paragraph is non-normative.*