Support propagating feature policy in popups.

.gitignore

@@ -0,0 +1,2 @@
+index.html
+deploy_key

.travis.yml

@@ -0,0 +1,24 @@
+language: python
+python:
+- '2.7'
+env:
+  global:
+  - COMMIT_AUTHOR_EMAIL=travis-ci@w3.org
+install:
+- git clone --depth=1 --branch=master https://github.com/tabatkins/bikeshed.git ./bikeshed
+- pip install pygments
+- pip install --upgrade setuptools
+- pip install --editable ./bikeshed
+- bikeshed update
+script:
+- mkdir out
+- bikeshed spec index.bs out/index.html
+before_deploy:
+- openssl aes-256-cbc -K $encrypted_b330ad4127a4_key -iv $encrypted_b330ad4127a4_iv
+  -in deploy_key.enc -out deploy_key -d
+deploy:
+  provider: script
+  skip_cleanup: true
+  script: "./deploy.sh"
+  on:
+    branch: master

README.md

@@ -1,6 +1,6 @@
 # Feature Policy
 
-A web platform API which gives a website the ability to allow and deny the use of browser features in its own frame, and in iframes that it embeds. Examples of features that could be controlled by feature policy include:
+A web platform API which gives a website the ability to allow and deny the use of browser features in its own frame, and in iframes that it embeds. Examples of [features](https://github.com/WICG/feature-policy/blob/master/features.md) that could be controlled by feature policy include:
 
 - getUserMedia (Camera, Speakers and Microphone)
 - Fullscreen
@@ -9,7 +9,7 @@ A web platform API which gives a website the ability to allow and deny the use o
 - Payments
 - Synchronous XHR
 - Synchronous scripts
-- Vibrate
+- Lazyload
 - ...
 
 The spec is hosted on this repo, at https://wicg.github.io/feature-policy/

deploy.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+set -e # Exit with nonzero exit code if anything fails
+
+# Expects that the build script will place the contents of gh-pages into out/.
+# Expects that the before_deploy steps will place a deploy key in ./deploy_key.
+
+TARGET_BRANCH=gh-pages
+
+# Save some useful information
+REPO=`git config remote.origin.url`
+SSH_REPO=${REPO/https:\/\/github.com\//git@github.com:}
+SHA=`git rev-parse --verify HEAD`
+
+CLONED_TARGET_BRANCH=$(mktemp -d)
+# Clone the existing gh-pages for this repo into out/
+git clone --depth 1 --branch $TARGET_BRANCH $REPO $CLONED_TARGET_BRANCH
+
+# Copy over the out/ directory, removing any old contents.
+rsync -r --exclude .git --delete out/ $CLONED_TARGET_BRANCH
+
+# Install the deploy key.
+chmod 600 deploy_key
+eval `ssh-agent -s`
+if ! ssh-add deploy_key; then
+    echo "Unable to add SSH identity; exiting."
+    exit 1
+fi
+
+# Now let's go have some fun with the cloned repo
+cd $CLONED_TARGET_BRANCH
+# If there are no changes to the compiled out (e.g. this is a README update) then just bail.
+if git diff --quiet; then
+    echo "No changes to the output on this push; exiting."
+    exit 0
+fi
+
+git config user.name "Travis CI"
+git config user.email "$COMMIT_AUTHOR_EMAIL"
+
+# Commit the "changes", i.e. the new version.
+# The delta will show diffs between new and old versions.
+git add -A .
+git commit -m "Deploy to GitHub Pages: ${SHA}"
+
+# Now that we're all set up, we can push.
+git push $SSH_REPO $TARGET_BRANCH
+

features.md

@@ -21,8 +21,8 @@ of these features all belong in their respective specs.
 |`payment`|`self`|Controls access to PaymentRequest interface.|
 |`picture-in-picture`|`*`|Controls access to Picture in Picture.|
 |`speaker`|`self`|Controls access to audio output devices.|
+|`sync-xhr`|`*`|Controls whether synchronous XMLHttpRequest transfers are allowed.|
 |`usb`|`self`|Controls access to USB devices.|
-|`vibrate`|`self`|Controls access to `vibrate()` method.|
 |`vr`|`self`|Controls access to VR displays.|
 
 ## Feature Definitions
@@ -31,7 +31,7 @@ of these features all belong in their respective specs.
 
 The *autoplay* feature controls access to autoplay of media requested through the [HTMLMediaElement interface](http://w3c.github.io/html/semantics-embedded-content.html#htmlmediaelement).
 
-If disabled in a document, then calls to [`play()`](http://w3c.github.io/html/semantics-embedded-content.html#dom-htmlmediaelement-play) without a user gesutre will reject the promise with a `NotAllowedError` DOMException object as its parameter. The [`autoplay`](http://w3c.github.io/html/semantics-embedded-content.html#dom-htmlmediaelement-autoplay) attribute will be ignored.
+If disabled in a document, then calls to [`play()`](http://w3c.github.io/html/semantics-embedded-content.html#dom-htmlmediaelement-play) without a user gesture will reject the promise with a `NotAllowedError` DOMException object as its parameter. The [`autoplay`](http://w3c.github.io/html/semantics-embedded-content.html#dom-htmlmediaelement-autoplay) attribute will be ignored.
 
 * The **feature name** for *autoplay* is "`autoplay`"
 * The **default allowlist** for *autoplay* is `'self'`.
@@ -148,6 +148,15 @@ If disabled in a document, then calls to [`getUserMedia()`](https://w3c.github.i
 * The **feature name** for *speaker* is "`speaker`"
 * The **default allowlist** for *speaker* is `'self'`.
 
+### sync-xhr
+
+The *sync-xhr* feature controls whether synchronous requests can be made through the [XMLHttpRequest API](https://xhr.spec.whatwg.org/).
+
+If disabled in a document, then calls to [`send()`](https://xhr.spec.whatwg.org/#the-send()-method) on `XMLHttpRequest` objects with the synchronous flag set will fail, causing a NetworkError DOMException to be thrown.
+
+* The **feature name** for *sync-xhr* is "`sync-xhr`"
+* The **default allowlist** for *sync-xhr* is `*`.
+
 ### usb
 
 The *usb* feature controls whether the current document is allowed to use the [WebUSB API](https://wicg.github.io/webusb/).
@@ -157,20 +166,11 @@ If disabled in a document, then calls to the [`getDevices()`](https://wicg.githu
 * The **feature name** for *usb* is "`usb`"
 * The **default allowlist** for *usb* is `'self'`.
 
-### vibrate
-
-The *vibrate* feature controls whether the [Vibration API](https://w3c.github.io/vibration/) is allowed to cause device vibration.
-
-If disabled in a document, then calls to the [`vibrate()`](https://w3c.github.io/vibration/#dom-navigator-vibrate) method should silently do nothing. If enabled, the browser may allow the device to vibrate.
-
-* The **feature name** for *vibrate* is "`vibrate`"
-* The **default allowlist** for *vibrate* is `'self'`.
-
 ### vr
 
-The *vr* feature controls whether the current document is allowed to use the [WebVR API](https://w3c.github.io/webvr/spec/1.1/).
+The *vr* feature controls whether the current document is allowed to use the [WebVR API](https://immersive-web.github.io/webvr/spec/1.1/).
 
-If disabled in a document, then calls to the [`getVRDisplays()`](https://w3c.github.io/webvr/spec/1.1/#navigator-getvrdisplays-attribute) should return a promise which rejects with a SecurityError DOMException.
+If disabled in a document, then calls to the [`getVRDisplays()`](https://immersive-web.github.io/webvr/spec/1.1/#navigator-getvrdisplays-attribute) should return a promise which rejects with a SecurityError DOMException.
 
 * The **feature name** for *vr* is "`vr`"
 * The **default allowlist** for *vr* is `'self'`.