Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support propagating feature policy in popups. #170

Closed
wants to merge 63 commits into from
Closed

Support propagating feature policy in popups. #170

wants to merge 63 commits into from

Conversation

clelland
Copy link
Collaborator

@clelland clelland commented May 18, 2018
edited
Loading

This change accounts for the fact that not all top-level browsing
contexts should be treated as top-level documents by feature policy. In
particular, new windows created with window.open() and <a href="_blank">
have auxiliary browsing contexts, which should get an inherited policy
based on the document that created them.

@clelland
Copy link
Collaborator Author

I'm not certain what happens (given this PR) when the auxiliary browsing context is navigated. Sandboxed documents retain their sandbox flags, and that seems like the right behaviour here, although the document may be navigated to an origin where the feature would have been allowed.

@clelland
Copy link
Collaborator Author

Question: Should the sandbox propagates to auxiliary browsing contexts flag apply to feature policy as well?

@clelland clelland closed this May 18, 2018
@clelland clelland reopened this May 18, 2018
@ehsan-karamad
Introduce Feature policy : document-stream-insertion
958bece 
This document servers as an explainer of an experimental feature which was most recently committed to chromium [codebase](https://chromium.googlesource.com/chromium/src/+/d8e49fe9a8374c236010d75874c082e9701543fb). The state of the proposal is not complete as there is still a critical open questions regarding the correct implementation and behavior for cross and same-origin contents.

All suggestions and ideas are most welcomed!
@ehsan-karamad
Update document_stream_insertion.md
75812ee 
Addressing comments, fixing typos, and more importantly renaming the feature from `document-stream-insertion` to `document-write`.
@clelland clelland mentioned this pull request Jun 6, 2018
Closed
foolip and others added 23 commits June 18, 2018 23:39
@foolip
Link {{Document}} in a few places
b52e879
@foolip
Export Feature-Policy as an HTTP header
debb98f 
The style of `Header-Name` follows Fetch, but the &w3c#96; in the source
are necessary because of "Markup Shorthands: css no, markdown yes" in
the <pre class="metadata">.
@clelland
Enable Travis to auto-build HTML output
8945e72
@clelland
Merge remote-tracking branch 'foolip/feature-policy-header'
a99a693 
This fixes the markup around the Feature-Policy HTTP header to use the
correct bikeshed markup for headers, and to denote the header name as a
byte-sequence, rather than a string.

Fixes: 181
@clelland
Add executable bit to deploy.sh
7ba9787
@clelland
Whitespace cleanup
0920ac5
@clelland
Switch to strings for En/Disabled values
58a36d6
@clelland
Merge remote-tracking branch 'foolip/patch-2'
e9f14bb
@clelland
Merge branch 'patch-3' of https://github.com/ehsan-karamad/feature-po…
ca24bf4 
…licy into ehsan-karamad-patch-3

Merging @ehsan-karamad's document-stream-insertion branch into master;
The branch was previously based on gh-pages, which is now just the
output directory for the rendered spec HTML.
@clelland
Rename to document-write.md
f5690bc
@clelland
Add questionnaire for JS API
d97edb9
@clelland
Add privacy and security section
1abf8ad
@clelland
Merge pull request w3c#185 from WICG/privacy-and-security
bdaad25 
Add privacy and security section
@Malvoz
Fix broken links
3ce1e35
@clelland
Merge pull request w3c#186 from Malvoz/patch-1
66c84b3 
Correct links to policies
@Malvoz
Update broken spec links
6d8bbbe
@clelland
Merge pull request w3c#187 from Malvoz/patch-1
b474a13 
Update broken WebVR spec links
@clelland
Update reporting examples
7f84fe6 
* Updated header to include `endpoints` member.
* Updated report envelope to include `user_agent` member.
* Updated JS sample to remove reference to `body.message`.
@clelland
Add explainer for implementing sandbox through FP
d1faae4 
This adds a document which explains how all of the features which are currently controlled through iframe sandboxing can be made into policy-controlled features, with the `sandbox` attribute being used to influence the constructed container policy for the frame. This also allows those features to be controlled outside of sandboxes as well.
@clelland
Add JavaScript introspection API (w3c#184)
7aca81e 
Add the `document.policy` and `frame.policy` interfaces to allow scripts to reason about the state of the page, as well as of frames they have or may want to embed. Marked as unstable, as the API may change as we let developers experiment with it.
@clelland
Fix out-of-date reference to features.md
37d974c 
The link in the spec to [features.md](https://github.com/WICG/feature-policy/blob/master/features.md) was out-of-date, still pointing to the `gh-pages` branch.

Fixes: 190
@clelland
Add privacy and security concerns with introspection api
8200df6
@jpchase
Remove vibrate feature
b7271ac 
Currently no plans to integrate vibrate with Feature Policy.
clelland and others added 27 commits August 14, 2018 15:15
@clelland
Merge pull request w3c#201 from ebidel/patch-1
44c3858 
Reporting: fix typos
@ehsan-karamad
Update the 'lazyload' policy
8872656 
The v0 `lazyload` policy will be binary and non-parametric. The feature will now enforce **`auto`** as opposed to **`on`**.
@ehsan-karamad
Update lazyload.md
a6cd8c9 
Fixing some typos and adding a few more lines to the explainer.
@Malvoz
Fix typos
101c8d8
@clelland
Merge pull request w3c#196 from ehsan-karamad/patch-4
fd3f576 
Explainer for 'lazyload' policy
@Malvoz
Merge branch 'master' into Malvoz-patch-1
6b2cc49
@clelland
Merge pull request w3c#205 from Malvoz/Malvoz-patch-1
4bc7e6d 
[lazyload.md] Update to fix typos
@clelland
Remove report message (w3c#217)
8da951b 
* Remove message field from reports
* Update and export id for report generation
@clelland
Merge almost duplicate parsing algorithms
f06cdfd 
Parsing the Feature Policy header and parsing the allow attribute were
almost identical algorithms. This merges the two into a single "Parse
policy directive" algorithm which is referenced from both places.
@ehsan-karamad @clelland
Update animations.md (w3c#212)
a7142ff 
Revised the animations policy to propose a modified policy that blocks layout inducing animations as opposed to the non-composited animations.

The changed is motivated discussions in issues #202, #203, and #204.
@clelland
Add 'sync-xhr' to features.md
99d812c 
Closes: w3c#126
@Malvoz @clelland
[lazyload.md] Correct parametric policy example (w3c#210)
f53266d
@clelland
Fix typo allowusermediarequest => allowusermedia
43f44be 
Fixes w3c#225
@ehsan-karamad @clelland
Update vertical_scroll.md (w3c#232)
5c33cee 
Update the explainer to include scroll targeting conditions.
@clelland
Update the 'declared origin' algorithm. (w3c#231)
63bd4e5 
Update the 'declared origin' algorithm.

The steps to get the declared origin for a node did not take into
account the sandbox or srcdoc attributes, which should override the src
attribute if present.

Fixes: w3c#223
@clelland
Fix inherited policy origin (w3c#229)
6aeb5d3 
Fix inherited policy algorithm

This corrects an issue with the "Define an inherited policy for feature"
algorithms where the wrong origin was used to compare against the
container policy and the parent document's feature policy. The origin of
the document in the frame (or of the document potentially loaded into
that frame) should be used, rather than the parent's origin.

This also cleans up some of the linked terms in the various algorithms
involved in this.
@clelland
Fix inherited policy calculation (w3c#234)
26e6c7f 
The inherited policy calculation previously would not properly disable
features in frames if they were disabled in the parent. This change
closes the hole where a top-level page could be delivered with a header
which disabled a feature, but then re-enable it in any frame. It also fixes
an edge case where specifying 'allow="feature"' could *disable* a feature
in a frame in which it would otherwise be enabled.

Fixes: w3c#233
@ehsan-karamad @clelland
Updates to animations.md (w3c#239)
6e186dc 
Define blocking based on *discrete animations* concept from CSS spec.
@loonybear @clelland
Updating image policies (w3c#240)
4243115 
Renames the image policies and removes the legacy-image-formats policy.
@clelland
Remove integrations section. (w3c#246)
d2862c7 
This has been upstreamed already, and so can only serve to confuse and
contradict HTML by being left here.

Fixes: w3c#245
@morten-olsen @clelland
Fix a typo in features.md (w3c#254)
f234bf4 
This commit will fix a type in `features.md`, where **sync-xhr**'s default **default allowlist** was named as speaker
@clelland
Remove allowusermedia from spec
fe4d07f 
Fixes: w3c#228
@clelland
Remove unused spec link
e6799ca
@clelland
Fix some broken references
79721ff
@clelland
Merge branch 'master' into remove-allowusermedia
3c9afac
@clelland
Merge pull request w3c#257 from clelland/remove-allowusermedia
7a11597 
Remove allowusermedia from spec
@clelland
Add support for popups
6b9a076
@clelland
Copy link
Collaborator Author

Messed up the merge, replaced this with #259

@clelland clelland closed this Nov 30, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
10 participants
@clelland @foolip @bakulf @ehsan-karamad @Malvoz @jpchase @paulmeyer90 @ebidel @loonybear @morten-olsen