From debb98ffdc8ece6df9a2f82d6f0f579eeb849bdb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Philip=20J=C3=A4genstedt?= Date: Tue, 19 Jun 2018 00:15:45 +0200 Subject: [PATCH] Export `Feature-Policy` as an HTTP header The style of `Header-Name` follows Fetch, but the ` in the source are necessary because of "Markup Shorthands: css no, markdown yes" in the 
.
---
 index.bs | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/index.bs b/index.bs
index 98be9645..faea73d5 100644
--- a/index.bs
+++ b/index.bs
@@ -56,7 +56,7 @@ spec:fetch; type:dfn; text:value
     within their application. It can do so by delivering the following HTTP
     response header to define a feature policy:

     
-      Feature-Policy: vibrate 'none'; geolocation 'none'

+      Feature-Policy: vibrate 'none'; geolocation 'none'

By specifying the "'none'"keyword for the origin list, the specified features will be disabled for all browsing contexts, regardless of their origin.

@@ -67,7 +67,7 @@ spec:fetch; type:dfn; text:value "https://example.com". It can do so by delivering the following HTTP response header to define a feature policy:

-      Feature-Policy: geolocation 'self' https://example.com
+ Feature-Policy: geolocation 'self' https://example.com

The allowlist is a list of one or more origins, which can include the application's origin, optionally with the keyword "'self'", and any third-party origin.

@@ -78,7 +78,7 @@ spec:fetch; type:dfn; text:value microphone input on its own origin but enable it for a specific embedee ("https://other.com"). It can do so by delivering the following HTTP response header to define a feature policy:

- 
Feature-Policy: camera https://other.com; microphone https://other.com
+ 
Feature-Policy: camera https://other.com; microphone https://other.com

Some features are disabled by default in embedded contexts. The policy allows the application to selectively enable such features for specified origins.

@@ -87,7 +87,7 @@ spec:fetch; type:dfn; text:value

FastCorp Inc. wants to disable geolocation for all cross-origin child frames, except for a specific iframe. It can do so by delivering the following HTTP response header to define a feature policy:

- 
Feature-Policy: geolocation 'self'
+ 
Feature-Policy: geolocation 'self'

and including an "allow" attribute on the iframe element:

<iframe src="https://other.com/map" allow="geolocation"></iframe>
@@ -326,18 +326,21 @@ spec:fetch; type:dfn; text:value

Feature-Policy HTTP Header Field

-

The Feature-Policy HTTP header - field can be used in the [=response=] (server to client) to communicate the - feature policy that should be enforced by the client.

+

The `Feature-Policy` HTTP + header field can be used in the [=response=] (server to client) to + communicate the feature policy that should be enforced by the + client.

The header's value is the of one or more policy directives:.

       FeaturePolicy = serialized-feature-policy *("," serialized-feature-policy)
-

When the user agent receives a Feature-Policy header field, - it MUST process and enforce - the serialized policy as described in .

+

When the user agent receives a `Feature-Policy` header field, it MUST + process and enforce the + serialized policy as described in + .

The allow attribute of the