From 9de80b67b5327a0052d66b43346e3ee64a2afc7c Mon Sep 17 00:00:00 2001
From: Andrew Verge <averge@chromium.org>
Date: Fri, 10 Jan 2025 17:18:44 +0000
Subject: [PATCH 1/4] Add spec for APIs gated on network revocation.

After untrusted network access has been disabled in a fenced frame
via disableUntrustedNetwork(), script running in the frame will gain
access to new powerful APIs. This patch provides an algorithm that other
specs can use when implementing methods that should only succeed in a
fenced frame with network access revoked.

Currently, the only method that will rely on this algorithm is
SharedStorage.get(), which is implemented in the Shared Storage draft
spec. I'm planning to update that spec separately after this PR merges.
---
 spec.bs | 38 +++++++++++++++++++++++++++++++++-----
 1 file changed, 33 insertions(+), 5 deletions(-)

diff --git a/spec.bs b/spec.bs
index 65aa289..02b65e0 100644
--- a/spec.bs
+++ b/spec.bs
@@ -762,11 +762,11 @@ can freely flow in and out without risk of the credit card information being joi
 data. Because of that, the fenced frame can be constructed directly from the web platform using the
 {{FencedFrameConfig}} constructor without compromising privacy. The button at this point has no
 personalized data in it since it can't access the credit card data yet. The {{Document}} can only
-read that credit card data once it turns off all network access, preventing the data from flowing
-out of the fenced frame and preventing it from being joined with cross-site data to build a user
-profile. Once it does that, the button will then display the last 4 digits of the user's credit card
-number, as it is saved in the browser, inside the first-party storage partition for the ecommerce
-platform's origin.
+read that credit card data once it turns off all network access via
+{{Fence/disableUntrustedNetwork()}}, preventing the data from flowing out of the fenced frame and
+preventing it from being joined with cross-site data to build a user profile. Once it does that,
+the button will then display the last 4 digits of the user's credit card number, as it is saved in
+the browser, inside the first-party storage partition for the ecommerce platform's origin.
 
 <h4 id=fenced-frame-config-struct>The [=fenced frame config=] [=struct=]</h4>
 
@@ -2196,6 +2196,34 @@ table](https://fetch.spec.whatwg.org/#destination-table) to illustrate that <{fe
  * CSP directive of <code>fenced-frame-src</code>
  * Features as HTML's <code>&lt;fencedframe&gt;</code>
 
+<h3 id=methods-gated-on-network-revocation>Methods Gated on Network Revocation</h3>
+
+*This first introductory paragraph is non-normative.*
+
+After a fenced frame has fully disabled untrusted network access, meaning the {{Promise}} returned
+by {{Fence/disableUntrustedNetwork()}} has [=resolved=], certain powerful interface methods will
+become available to script which executes inside of the fenced frame. These methods are defined in
+other specifications, which will use the below algorithm to determine if invocation can occur
+successfully. Currently, the only method which is gated behind revocation of untrusted network
+access is {{SharedStorage/get()}} when invoked outside of a {{SharedStorageWorklet}}. This method
+is defined in the [[Shared-Storage]] draft specification.
+
+<div algorithm>
+  To <dfn export>determine if a navigable has fully revoked network</dfn> given a [=navigable=] 
+  |navigable|:
+  
+  1. If |navigable|'s [=navigable/traversable navigable=] is not a [=fenced navigable
+     container/fenced navigable=], return false.
+
+  1. Let |config| be |navigable|'s [=navigable/active browsing context=]'s [=browsing
+     context/fenced frame config instance=].
+
+  1. If |config|'s [=fenced frame config instance/untrusted network status=] is not [=untrusted
+     network status/disabled for this tree and fenced subtrees=], return false.
+
+  1. Return true.
+</div>
+
 <h3 id=automatic-reporting>Automatic Reporting</h3>
 
 *This first introductory paragraph is non-normative.*

From fd2903bb8c47f65b3493b8dd9872067e6be04efe Mon Sep 17 00:00:00 2001
From: Andrew Verge <averge@chromium.org>
Date: Fri, 10 Jan 2025 17:35:32 +0000
Subject: [PATCH 2/4] fix header capitalization

---
 spec.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec.bs b/spec.bs
index 02b65e0..b40d8e9 100644
--- a/spec.bs
+++ b/spec.bs
@@ -2196,7 +2196,7 @@ table](https://fetch.spec.whatwg.org/#destination-table) to illustrate that <{fe
  * CSP directive of <code>fenced-frame-src</code>
  * Features as HTML's <code>&lt;fencedframe&gt;</code>
 
-<h3 id=methods-gated-on-network-revocation>Methods Gated on Network Revocation</h3>
+<h3 id=methods-gated-on-network-revocation>Methods gated on network revocation</h3>
 
 *This first introductory paragraph is non-normative.*
 

From 261d6e04bc0afe8c7245352d8ce349ff05930072 Mon Sep 17 00:00:00 2001
From: Andrew Verge <averge@chromium.org>
Date: Fri, 10 Jan 2025 20:11:52 +0000
Subject: [PATCH 3/4] address comment from blu25

---
 spec.bs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/spec.bs b/spec.bs
index b40d8e9..acdc01d 100644
--- a/spec.bs
+++ b/spec.bs
@@ -2204,9 +2204,9 @@ After a fenced frame has fully disabled untrusted network access, meaning the {{
 by {{Fence/disableUntrustedNetwork()}} has [=resolved=], certain powerful interface methods will
 become available to script which executes inside of the fenced frame. These methods are defined in
 other specifications, which will use the below algorithm to determine if invocation can occur
-successfully. Currently, the only method which is gated behind revocation of untrusted network
-access is {{SharedStorage/get()}} when invoked outside of a {{SharedStorageWorklet}}. This method
-is defined in the [[Shared-Storage]] draft specification.
+successfully. One example of a method which is gated behind revocation of untrusted network access
+is {{SharedStorage/get()}} when invoked outside of a {{SharedStorageWorklet}}. This method is
+defined in the [[Shared-Storage]] draft specification.
 
 <div algorithm>
   To <dfn export>determine if a navigable has fully revoked network</dfn> given a [=navigable=] 

From 9fa9fbc675a2a02e939f5fbc8c74b786d9ced647 Mon Sep 17 00:00:00 2001
From: Andrew Verge <averge@chromium.org>
Date: Tue, 14 Jan 2025 19:16:06 +0000
Subject: [PATCH 4/4] rename newly-introduced header

---
 spec.bs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spec.bs b/spec.bs
index acdc01d..6a45958 100644
--- a/spec.bs
+++ b/spec.bs
@@ -2196,7 +2196,7 @@ table](https://fetch.spec.whatwg.org/#destination-table) to illustrate that <{fe
  * CSP directive of <code>fenced-frame-src</code>
  * Features as HTML's <code>&lt;fencedframe&gt;</code>
 
-<h3 id=methods-gated-on-network-revocation>Methods gated on network revocation</h3>
+<h3 id=gating-methods-on-network-revocation>Gating methods on network revocation</h3>
 
 *This first introductory paragraph is non-normative.*