From debb98ffdc8ece6df9a2f82d6f0f579eeb849bdb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philip=20J=C3=A4genstedt?= .
---
index.bs | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/index.bs b/index.bs
index 98be9645..faea73d5 100644
--- a/index.bs
+++ b/index.bs
@@ -56,7 +56,7 @@ spec:fetch; type:dfn; text:value
within their application. It can do so by delivering the following HTTP
response header to define a feature policy:
- Feature-Policy: vibrate 'none'; geolocation 'none'+ Feature-Policy: vibrate 'none'; geolocation 'none'
By specifying the "'none'
"keyword for the origin list, the
specified features will be disabled for all browsing contexts, regardless of
their origin.
https://example.com
". It can do so by delivering the
following HTTP response header to define a feature policy:
- Feature-Policy: geolocation 'self' https://example.com+ Feature-Policy: geolocation 'self' https://example.com
The allowlist is a list of one or more origins, which can include
the application's origin, optionally with the keyword "'self'
",
and any third-party origin.
https://other.com
"). It can do so by delivering the
following HTTP response header to define a feature policy:
- Feature-Policy: camera https://other.com; microphone https://other.com+
Feature-Policy: camera https://other.com; microphone https://other.com
Some features are disabled by default in embedded contexts. The policy allows the application to selectively enable such features for specified origins.
@@ -87,7 +87,7 @@ spec:fetch; type:dfn; text:valueFastCorp Inc. wants to disable geolocation for all cross-origin child frames, except for a specific iframe. It can do so by delivering the following HTTP response header to define a feature policy:
-Feature-Policy: geolocation 'self'+
Feature-Policy: geolocation 'self'
and including an "allow
" attribute on the iframe
element:
<iframe src="https://other.com/map" allow="geolocation"></iframe>@@ -326,18 +326,21 @@ spec:fetch; type:dfn; text:value
The Feature-Policy HTTP header - field can be used in the [=response=] (server to client) to communicate the - feature policy that should be enforced by the client.
+The `Feature-Policy
` HTTP
+ header field can be used in the [=response=] (server to client) to
+ communicate the feature policy that should be enforced by the
+ client.
The header's value is the of one or more policy directives:.
FeaturePolicy = serialized-feature-policy *("," serialized-feature-policy)-
When the user agent receives a Feature-Policy
header field,
- it MUST process and enforce
- the serialized policy as described in .
When the user agent receives a `Feature-Policy
` header field, it MUST
+ process and enforce the
+ serialized policy as described in
+ .
allow
attribute of the