Summary: FeaturePolicy spec allows developers to enable or disable features
(browser features ad APIs) for their website and for 3rd party contexts.
FeaturePolicy consists in 3 mayor parts:
* a HTTP header with the policy, similar to CSP header
* an 'allowed' attribute for HTMLIFrameElements to define feature policies
for nested contexts.
* a WebIDL interface that allows querying the features.
My implementation covers all these 3 aspects.
Bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1390801
Link to standard:
https://wicg.github.io/feature-policy/
Platform coverage: everywhere.
Estimated or target release: I would like to enable this feature only in
nightly for a cycle after landing. This would probably be 65.
Preference behind which this will be implemented:
dom.security.featurePolicy.enabled
Is this feature enabled by default in sandboxed iframes? Yes, it is
DevTools bug: No devtools support.
Do other browser engines implement this? Chromium, since 63. Safari since
11.1 (partially - only 'allowed' attributed is supported).
web-platform-tests: There are several policy WPTs features. With my patches
we are almost green everywhere, ignoring payment API and picture-in-picture.
Is this feature restricted to secure contexts? No, it isn’t.