-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support propagating feature policy in popups. #170
Conversation
I'm not certain what happens (given this PR) when the auxiliary browsing context is navigated. Sandboxed documents retain their sandbox flags, and that seems like the right behaviour here, although the document may be navigated to an origin where the feature would have been allowed. |
Question: Should the |
This document servers as an explainer of an experimental feature which was most recently committed to chromium [codebase](https://chromium.googlesource.com/chromium/src/+/d8e49fe9a8374c236010d75874c082e9701543fb). The state of the proposal is not complete as there is still a critical open questions regarding the correct implementation and behavior for cross and same-origin contents. All suggestions and ideas are most welcomed!
Addressing comments, fixing typos, and more importantly renaming the feature from `document-stream-insertion` to `document-write`.
The style of `Header-Name` follows Fetch, but the &w3c#96; in the source are necessary because of "Markup Shorthands: css no, markdown yes" in the <pre class="metadata">.
This fixes the markup around the Feature-Policy HTTP header to use the correct bikeshed markup for headers, and to denote the header name as a byte-sequence, rather than a string. Fixes: 181
…licy into ehsan-karamad-patch-3 Merging @ehsan-karamad's document-stream-insertion branch into master; The branch was previously based on gh-pages, which is now just the output directory for the rendered spec HTML.
Add privacy and security section
Correct links to policies
Update broken WebVR spec links
* Updated header to include `endpoints` member. * Updated report envelope to include `user_agent` member. * Updated JS sample to remove reference to `body.message`.
This adds a document which explains how all of the features which are currently controlled through iframe sandboxing can be made into policy-controlled features, with the `sandbox` attribute being used to influence the constructed container policy for the frame. This also allows those features to be controlled outside of sandboxes as well.
Add the `document.policy` and `frame.policy` interfaces to allow scripts to reason about the state of the page, as well as of frames they have or may want to embed. Marked as unstable, as the API may change as we let developers experiment with it.
The link in the spec to [features.md](https://github.com/WICG/feature-policy/blob/master/features.md) was out-of-date, still pointing to the `gh-pages` branch. Fixes: 190
Currently no plans to integrate vibrate with Feature Policy.
Reporting: fix typos
The v0 `lazyload` policy will be binary and non-parametric. The feature will now enforce **`auto`** as opposed to **`on`**.
Fixing some typos and adding a few more lines to the explainer.
Explainer for 'lazyload' policy
[lazyload.md] Update to fix typos
* Remove message field from reports * Update and export id for report generation
Parsing the Feature Policy header and parsing the allow attribute were almost identical algorithms. This merges the two into a single "Parse policy directive" algorithm which is referenced from both places.
Revised the animations policy to propose a modified policy that blocks layout inducing animations as opposed to the non-composited animations. The changed is motivated discussions in issues #202, #203, and #204.
Update the explainer to include scroll targeting conditions.
Update the 'declared origin' algorithm. The steps to get the declared origin for a node did not take into account the sandbox or srcdoc attributes, which should override the src attribute if present. Fixes: w3c#223
Fix inherited policy algorithm This corrects an issue with the "Define an inherited policy for feature" algorithms where the wrong origin was used to compare against the container policy and the parent document's feature policy. The origin of the document in the frame (or of the document potentially loaded into that frame) should be used, rather than the parent's origin. This also cleans up some of the linked terms in the various algorithms involved in this.
The inherited policy calculation previously would not properly disable features in frames if they were disabled in the parent. This change closes the hole where a top-level page could be delivered with a header which disabled a feature, but then re-enable it in any frame. It also fixes an edge case where specifying 'allow="feature"' could *disable* a feature in a frame in which it would otherwise be enabled. Fixes: w3c#233
Define blocking based on *discrete animations* concept from CSS spec.
Renames the image policies and removes the legacy-image-formats policy.
This has been upstreamed already, and so can only serve to confuse and contradict HTML by being left here. Fixes: w3c#245
This commit will fix a type in `features.md`, where **sync-xhr**'s default **default allowlist** was named as speaker
Remove allowusermedia from spec
4a9b71f
to
6b9a076
Compare
Messed up the merge, replaced this with #259 |
This change accounts for the fact that not all top-level browsing
contexts should be treated as top-level documents by feature policy. In
particular, new windows created with
window.open()
and<a href="_blank">
have auxiliary browsing contexts, which should get an inherited policy
based on the document that created them.