Gecko: Positive (https://github.com/w3c/webappsec-feature-policy/issues/359) The initial impetus for this change came from a request from Firefox. Like Safari, Firefox does not currently have support implemented for the existing Feature-Policy header.
WebKit: No signal (https://lists.webkit.org/pipermail/webkit-dev/2020-September/031428.html) Safari implements the allow attribute, which is essentially unchanged by this update, but does not currently support the (now legacy) Feature-Policy header.
Web developers: Positive (https://github.com/w3c/webappsec-permissions-policy/issues/357#issuecomment-562744161) There is support (for example, the link above) from developers for the header semantics change; a number of developers have expressed the view that blocking a site in the HTTP header should not be overridable in markup.Activation
The biggest challenge will be that developers will eventually need to rewrite any existing Feature-Policy headers in the new structured syntax. Documentation will help, tools could be used to translate from one syntax to the other (this is a very mechanical change).Security
The behavioural change to the header was made in order to allow some sites to increase their security, by giving them a way to completely disable some features, in a way that even a malicious actor with DOM manipulation capabilities cannot override.Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)?
Yes.Is this feature fully tested by web-platform-tests?
Yes.
Web Platform Tests under the /feature-policy/ directory are being rewritten to use the new header, to verify that it works as well as the old one. New tests are added for the header behaviour change as well. Other feature tests which integrate with the policy mechanism are similarly being changed to use the new header, if they used the old one previously, or to use the allow attribute when possible, as its behaviour should be unchanged.
Tracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=1095641Link to entry on the Chrome Platform Status
https://www.chromestatus.com/feature/5745992911552512Links to previous Intent discussions
Intent to prototype: https://groups.google.com/a/chromium.org/d/msg/blink-dev/As1ABvc2QdA/yZSpPXY4CAAJThis intent message was mostly generated by Chrome Platform Status.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK_TSXKS21GncbmU16mbhopJtZT4FWYpYS4FGomutrdpEsMnQA%40mail.gmail.com.
Gecko: Positive (https://github.com/w3c/webappsec-feature-policy/issues/359) The initial impetus for this change came from a request from Firefox. Like Safari, Firefox does not currently have support implemented for the existing Feature-Policy header.While they are likely to be positive, it'd be better to ask for an official position on their standards position repo.
One concern emerged during the security review for this feature: is it possible that reporting will introduce an XS-Leak?For example if application maps.com only asks for geolocation if the user is logged in an attacker.com could iframe it and set a policy that does not allow for geolocation and detect if a report is sent (thus if the user is signed in).
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACj%3DBEh-8%3DE_S45658jCykBg0Uiu-feNCap2hf_rCKo5sYUgAw%40mail.gmail.com.
LGTM3
/Daniel
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw-hVfxO8YYX_WAKNCD96sg_bnFmTDbYDsaL4pfw3s9f4A%40mail.gmail.com.