info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Intent to implement: Feature Policy
164 views
Skip to first unread message
Andrea Marchesini
Sep 14, 2018, 1:59:08 PM9/14/18
to dev-platform
Summary: FeaturePolicy spec allows developers to enable or disable features
(browser features ad APIs) for their website and for 3rd party contexts.
FeaturePolicy consists in 3 mayor parts:
* a HTTP header with the policy, similar to CSP header
* an 'allowed' attribute for HTMLIFrameElements to define feature policies
for nested contexts.
* a WebIDL interface that allows querying the features.
My implementation covers all these 3 aspects.
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1390801
Link to standard: https://wicg.github.io/feature-policy/
Platform coverage: everywhere.
Estimated or target release: I would like to enable this feature only in
nightly for a cycle after landing. This would probably be 65.
Preference behind which this will be implemented:
dom.security.featurePolicy.enabled
Is this feature enabled by default in sandboxed iframes? Yes, it is
DevTools bug: No devtools support.
Do other browser engines implement this? Chromium, since 63. Safari since
11.1 (partially - only 'allowed' attributed is supported).
web-platform-tests: There are several policy WPTs features. With my patches
we are almost green everywhere, ignoring payment API and picture-in-picture.
Is this feature restricted to secure contexts? No, it isn’t.
(browser features ad APIs) for their website and for 3rd party contexts.
FeaturePolicy consists in 3 mayor parts:
* a HTTP header with the policy, similar to CSP header
* an 'allowed' attribute for HTMLIFrameElements to define feature policies
for nested contexts.
* a WebIDL interface that allows querying the features.
My implementation covers all these 3 aspects.
Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1390801
Link to standard: https://wicg.github.io/feature-policy/
Platform coverage: everywhere.
Estimated or target release: I would like to enable this feature only in
nightly for a cycle after landing. This would probably be 65.
Preference behind which this will be implemented:
dom.security.featurePolicy.enabled
Is this feature enabled by default in sandboxed iframes? Yes, it is
DevTools bug: No devtools support.
Do other browser engines implement this? Chromium, since 63. Safari since
11.1 (partially - only 'allowed' attributed is supported).
web-platform-tests: There are several policy WPTs features. With my patches
we are almost green everywhere, ignoring payment API and picture-in-picture.
Is this feature restricted to secure contexts? No, it isn’t.
Boris Zbarsky
Sep 14, 2018, 2:21:26 PM9/14/18
to
On 9/14/18 1:58 PM, Andrea Marchesini wrote:
> DevTools bug: No devtools support.
Seems like devtools might be useful for answering questions like "what
> DevTools bug: No devtools support.
is the feature policy for this page and why?" given the complexity of
feature policy determination (headers, inheritance from parents, etc).
-Boris
Ehsan Akhgari
Sep 14, 2018, 6:55:24 PM9/14/18
to Boris Zbarsky, dev-pl...@lists.mozilla.org
out to the devtools team to see if they can help with this.
We also have https://bugzilla.mozilla.org/show_bug.cgi?id=1449501 open to
display the CSP policy, perhaps it might make sense to expose both in
similar ways (or at least for similar contexts, e.g. iframes).
--
Ehsan
Christoph Kerschbaumer
Sep 17, 2018, 3:37:15 AM9/17/18
to Ehsan Akhgari, Boris Zbarsky, dev-pl...@lists.mozilla.org
> On Sep 15, 2018, at 12:54 AM, Ehsan Akhgari <ehsan....@gmail.com> wrote:
>
> We also have https://bugzilla.mozilla.org/show_bug.cgi?id=1449501 open to
> display the CSP policy, perhaps it might make sense to expose both in
> similar ways (or at least for similar contexts, e.g. iframes).
0 new messages