-
Notifications
You must be signed in to change notification settings - Fork 13
/
policies.json
191 lines (191 loc) · 7.38 KB
/
policies.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
[{
"id": "unsized-media",
"name": "Unsized Media",
"type": "images",
"url": "/demos/unsized-media.html",
"what": "Allows developers to enforce that image/video elements have explicit dimensions. If dimensions aren't specified on the element, the browser sets a default size of 300x150 when this policy is active.",
"why": "Reduces the layout work the browser has to perform.",
"policyType": "Document-Policy",
"usage": {
"off": "unsized-media",
"on": "unsized-media=?0"
},
"examples": {
"header": [
"Document-Policy: unsized-media",
"Document-Policy: unsized-media=?0"
]
}
}, {
"id": "sync-xhr",
"name": "Synchronous XHR",
"type": "performance",
"url": "/demos/sync-xhr.html",
"chromeStatusLink": "https://www.chromestatus.com/feature/5154875084111872",
"what": "Disallows the use of synchronous XMLHttpRequests.",
"why": "Using synchronous XHRs can cause jank on the main thread and be detrimental to user experience. Although the HTML spec has <a href=\"https://xhr.spec.whatwg.org/#sync-warning\" target=\"_blank\">deprecated sync XHRs</a>, developers are still able to use it for XHR requests where <code>responseType=\"text\"</code>.",
"policyType": "Permissions-Policy",
"usage": {
"off": "sync-xhr=self",
"on": "sync-xhr=()"
},
"examples": {
"header": [
"Permissions-Policy: sync-xhr=()"
]
}
}, {
"id": "autoplay",
"name": "Autoplay media",
"type": "granular",
"url": "/demos/autoplay.html",
"chromeStatusLink": "https://www.chromestatus.com/feature/5100524789563392",
"what": "Allows cross-origin videos and movies to autoplay.",
"why": "By default, Chrome allows the `autoplay` attribute on videos within same-origin iframes. To enable cross-origin videos to autoplay (or disallow same-origin videos from auto playing), sites can use this permissions policy.",
"policyType": "Permissions-Policy",
"usage": {
"off": "autoplay=self",
"on": "autoplay=()"
},
"examples": {
"header": [
"Permissions-Policy: autoplay=()",
"Permissions-Policy: autoplay=self"
]
}
}, {
"id": "geolocation",
"name": "Geolocation",
"type": "granular",
"url": "/demos/geolocation.html",
"chromeStatusLink": null,
"what": "Allows/disables the use of the Geolocation API.",
"why": "By default, Chrome blocks the usage of geolocation in cross-origin iframes. Developers can control this behavior (or geolocation access in general) using this permissions policy.",
"policyType": "Permissions-Policy",
"usage": {
"off": "geolocation=self",
"on": "geolocation=()"
},
"examples": {
"header": [
"Permissions-Policy: geolocation=self",
"Permissions-Policy: geolocation https://google-developers.appspot.com"
],
"iframe": [
"<iframe src=\"...\" allow=\"geolocation https://google-developers.appspot.com\"><\/iframe>"
]
}
}, {
"id": "picture-in-picture",
"name": "Picture-in-Picture",
"type": "granular",
"url": "/demos/picture-in-picture.html",
"chromeStatusLink": "https://www.chromestatus.com/features/5729206566649856",
"what": "Controls access to Picture in Picture.",
"why": "By default, Chrome allows the usage of Picture-in-Picture in cross-origin iframes. Developers can disable it using this permissions policy.",
"policyType": "Permissions-Policy",
"usage": {
"on": "picture-in-picture=self",
"off": "picture-in-picture=()"
},
"examples": {
"header": [
"Permissions-Policy: picture-in-picture=self",
"Permissions-Policy: picture-in-picture=()"
]
}
}, {
"id": "animations",
"name": "Fast animations",
"type": "performance",
"url": "/demos/animations.html",
"what": "Restricts the set of CSS properties which can be animated to opacity, transform, and filter.",
"why": "Ensures smooth animations, by only allowing those properties which can be animated on the GPU using the hardware acceleration.",
"policyType": "Document-Policy",
"usage": {
"off": "animations",
"on": "animations=?0"
},
"examples": {
"header": [
"Document-Policy: animations=?0"
]
}
}, {
"id": "oversized-images",
"name": "Oversized images",
"type": "images",
"url": "/demos/oversized-images.html",
"what": "Ensures instrinsic size of images are not more than X times larger than their container size.",
"why": "Image bloat is a large problem on the web. Sending unnecessarily large images is bad for performance, UX, and wastes bandwidth.",
"policyType": "Document-Policy",
"usage_desc": "Maximum image_size / container_size ratio",
"usage": {
"1.0": "oversized-images=1.0",
"2.0": "oversized-images=2.0",
"4.0": "oversized-images=4.0"
},
"examples": {
"header": [
"Document-Policy: oversized-images=2.0"
]
}
}, {
"id": "unoptimized-lossy-images",
"name": "Unoptimized images",
"type": "images",
"url": "/demos/unoptimized-lossy-images.html",
"what": "Requires the data size of images (in bytes) to be no more than X times bigger than its rendering area (in pixels). Images violating this policy render as placeholder images.",
"why": "Ensures optimized performance with images by minimizing file size, reducing image bloat and saving bandwidth.",
"policyType": "Document-Policy",
"usage_desc": "Maximum byte per pixel",
"usage": {
"1.0": "unoptimized-lossy-images=1.0, unoptimized-lossless-images=1.0, unoptimized-lossless-images-strict=1.0",
"2.0": "unoptimized-lossy-images=2.0, unoptimized-lossless-images=2.0, unoptimized-lossless-images-strict=2.0",
"4.0": "unoptimized-lossy-images=4.0, unoptimized-lossless-images=4.0, unoptimized-lossless-images-strict=4.0"
},
"examples": {
"header": [
"Document-Policy: unoptimized-lossy-images=1.0",
"Document-Policy: unoptimized-lossless-images=1.0",
"Document-Policy: unoptimized-lossless-images-strict=1.0"
]
}
}, {
"id": "sync-script",
"name": "Synchronous scripts",
"type": "performance",
"url": "/demos/sync-script.html",
"what": "Prevents synchronous, parsing blocking scripts from executing.",
"why": "Inline scripts and <code><script src></code> without the <code>defer</code>/<code>async</code> attributes block the parser. This can lead to bad performance and poor UX. Instead, use <code>defer</code>/<code>async</code> when loading scripts, dynamically inject them into the page using JS, or use ES Modules (which are defer loaded by default). These solutions will not violate this document policy.",
"policyType": "Document-Policy",
"usage": {
"off": "sync-script",
"on": "sync-script=?0"
},
"examples": {
"header": [
"Document-Policy: sync-script=?0"
]
}
}, {
"id": "vertical-scroll",
"name": "Vertical scroll",
"type": "granular",
"url": "/demos/vertical-scroll.html",
"what": "Controls whether embedded content can interfere with vertical scrolling.",
"why": "By default, iframe content can use <code>touch-action: none</code>, <code>e.preventDefault()</code> in touch events, and the DOM Scroll APIs to prevent and/or alter how content scrolls vertically. This policy ensures vertical scrolling is not blocked by preventing these features from working.",
"policyType": "Permissions-Policy",
"usage": {
"off": "vertical-scroll=self",
"on": "vertical-scroll=()"
},
"examples": {
"header": [
"Permissions-Policy: vertical-scroll=()"
],
"iframe": [
"<iframe allow=\"vertical-scroll 'none'\" src=\"...\"><\/iframe>"
]
}
}]