[Proposal] Different script contexts with different feature policy.

[moonyowl]

Feature policy can be defined for browsing context, but there is no way to define it for script context. I think it’s totally wrong, and there is an objective need to be able to run different scripts in different script contexts (with different global environments and different set of available browser features / Web APIs).
Here is an example:

I need to run two scripts on a webpage. The first script is a first-party script that will access sensetive data (or fingerprintable API’s). The second script is a third-party script that will make some network requests. I need to isolate these scripts from each other to ensure that the second script will never have access to sensetive data.

[annevk]

That's basically not possible given how JavaScript works today.

[moonyowl]

@annevk, It is possible to execute scripts in isolated context, and it's already implemented for browser extensions (content scripts).

• Is it impossible to do the same for ordinary scripts?
• Is it impossible to define feature policy for them?

[clelland]

Browser extensions are special, and there is currently no mechanism to allow this in HTML; if such a thing does arise, I suspect that policies will apply to those scripts, but I don't think Permissions Policy is the mechanism to enforce that isolation.