Introduce Feature policy : document-write
#172
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This document servers as an explainer of an experimental feature which was most recently committed to chromium [codebase](https://chromium.googlesource.com/chromium/src/+/d8e49fe9a8374c236010d75874c082e9701543fb). The state of the proposal is not complete as there is still a critical open questions regarding the correct implementation and behavior for cross and same-origin contents. All suggestions and ideas are most welcomed!
|
I think it would be much clearer if we called this "document-write". |
|
Agreed -- the initial spec had a feature called |
clelland
reviewed
Jun 5, 2018
|
|
||
| ## Objective | ||
| The API around document stream modification ([dynamic mark-up insertion](https://www.w3.org/TR/2011/WD-html5-author-20110705/apis-in-html-documents.html#dynamic-markup-insertion)), i.e., `document.write`, `document.writeln`, `document.open` and `document.close` | ||
| are anti-pattern, parser-blocking javascritp API. The objective of the proposed feature is to limit the usage of this API in websites. |
|
|
||
| ## Solution | ||
|
|
||
| When the feature is disabled for a specific origin in a frame, any occurance of such API will be ignored and might |
There was a problem hiding this comment.
sp: occurrence (or better yet, "usage")
| ``` | ||
| <iframe src="https://example.com" allow="document-stream-insertion http://www.google.com"></iframe> | ||
| ``` | ||
| would limit the usage of stream insertion API to only "google.com" origins using HTTPS protocol. |
There was a problem hiding this comment.
Not quite accurate: This limits it to just www.google.com, not any *.google.com origin. (and you've used HTTP, rather than HTTPS)
There was a problem hiding this comment.
Thanks, I believe I confused site instance with origin.
| 1: The _most_ correct behavior is not known yet. For now, Chrome's implementation behind the flag simply throws exception | ||
| on API usage (for both same and cross origin). But this is not the final implementation. | ||
|
|
||
| 2: An embedded website might rely on important `<script>` added to the document using `document.write`. |
There was a problem hiding this comment.
We should note that this is already not guaranteed to work in Chrome, because of WICG/interventions#17 -- so hopefully sites are already discouraged from implementing critical functionality via document.write of script content.
The difference with this proposal is that the embedder now has some control of whether or not the write will succeed, rather than just the user agent.
There was a problem hiding this comment.
Thanks. Added a few lines here.
|
I think it's close enough (don't forget |
Addressing comments, fixing typos, and more importantly renaming the feature from `document-stream-insertion` to `document-write`.
ehsan-karamad
changed the title
document-stream-insertiondocument-write
|
Just to confirm and clarify, this feature does not block the variant of |
|
You can already do the opening behavior with window.open. Is there a specific reason to continue to allow it with document.open? I think it's pretty subtle and confusing to have the API partially function and would be better for us to keep it simple that all uses of document.open fail. |
|
@ojanvafai blocking both requires two checks (one for each algorithm), as they're different methods do to IDL overloading. Therefore it might also be a tad confusing, but it seems fine to block both to me. |
|
Both variants of |
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Jun 11, 2018
It was proposed here w3c/webappsec-permissions-policy#172 that "document-write" is a better name for this feature. This CL makes the naming change correspondingly. Bug: 841605 Change-Id: Id0a928fd3f6669eb3700736ff5770d4717d2b414
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Jun 13, 2018
It was proposed here w3c/webappsec-permissions-policy#172 that "document-write" is a better name for this feature. This CL makes the naming change correspondingly. Bug: 841605 Change-Id: Id0a928fd3f6669eb3700736ff5770d4717d2b414
aarongable
pushed a commit
to chromium/chromium
that referenced
this pull request
Jun 13, 2018
It was proposed here w3c/webappsec-permissions-policy#172 that "document-write" is a better name for this feature. This CL makes the naming change correspondingly. Bug: 841605 Change-Id: Id0a928fd3f6669eb3700736ff5770d4717d2b414 Reviewed-on: https://chromium-review.googlesource.com/1095328 Commit-Queue: Ehsan Karamad <ekaramad@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Reviewed-by: Kent Tamura <tkent@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Cr-Commit-Position: refs/heads/master@{#566829}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Jun 13, 2018
It was proposed here w3c/webappsec-permissions-policy#172 that "document-write" is a better name for this feature. This CL makes the naming change correspondingly. Bug: 841605 Change-Id: Id0a928fd3f6669eb3700736ff5770d4717d2b414 Reviewed-on: https://chromium-review.googlesource.com/1095328 Commit-Queue: Ehsan Karamad <ekaramad@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Reviewed-by: Kent Tamura <tkent@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Cr-Commit-Position: refs/heads/master@{#566829}
chromium-wpt-export-bot
pushed a commit
to web-platform-tests/wpt
that referenced
this pull request
Jun 13, 2018
It was proposed here w3c/webappsec-permissions-policy#172 that "document-write" is a better name for this feature. This CL makes the naming change correspondingly. Bug: 841605 Change-Id: Id0a928fd3f6669eb3700736ff5770d4717d2b414 Reviewed-on: https://chromium-review.googlesource.com/1095328 Commit-Queue: Ehsan Karamad <ekaramad@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Reviewed-by: Kent Tamura <tkent@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Cr-Commit-Position: refs/heads/master@{#566829}
|
Merged into master as ca24bf4 |
moz-v2v-gh
pushed a commit
to mozilla/gecko-dev
that referenced
this pull request
Jul 11, 2018
…nsertion, a=testonly Automatic update from web-platform-testsRename Feature Policy: document-stream-insertion It was proposed here w3c/webappsec-permissions-policy#172 that "document-write" is a better name for this feature. This CL makes the naming change correspondingly. Bug: 841605 Change-Id: Id0a928fd3f6669eb3700736ff5770d4717d2b414 Reviewed-on: https://chromium-review.googlesource.com/1095328 Commit-Queue: Ehsan Karamad <ekaramad@chromium.org> Reviewed-by: Ian Clelland <iclelland@chromium.org> Reviewed-by: Kent Tamura <tkent@chromium.org> Reviewed-by: Nasko Oskov <nasko@chromium.org> Cr-Commit-Position: refs/heads/master@{#566829} -- wpt-commits: a0272053ab1712be6bf6b967ce75797b351001fc wpt-pr: 11463 --HG-- rename : testing/web-platform/tests/feature-policy/experimental-features/resources/document-stream-insertion.html => testing/web-platform/tests/feature-policy/experimental-features/resources/document-write.html
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-comments-removed
that referenced
this pull request
Oct 3, 2019
…nsertion, a=testonly Automatic update from web-platform-testsRename Feature Policy: document-stream-insertion It was proposed here w3c/webappsec-permissions-policy#172 that "document-write" is a better name for this feature. This CL makes the naming change correspondingly. Bug: 841605 Change-Id: Id0a928fd3f6669eb3700736ff5770d4717d2b414 Reviewed-on: https://chromium-review.googlesource.com/1095328 Commit-Queue: Ehsan Karamad <ekaramadchromium.org> Reviewed-by: Ian Clelland <iclellandchromium.org> Reviewed-by: Kent Tamura <tkentchromium.org> Reviewed-by: Nasko Oskov <naskochromium.org> Cr-Commit-Position: refs/heads/master{#566829} -- wpt-commits: a0272053ab1712be6bf6b967ce75797b351001fc wpt-pr: 11463 UltraBlame original commit: 40f42f669a0b67e18bbc3beb3ac706bfb6cbb53a
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified-and-comments-removed
that referenced
this pull request
Oct 3, 2019
…nsertion, a=testonly Automatic update from web-platform-testsRename Feature Policy: document-stream-insertion It was proposed here w3c/webappsec-permissions-policy#172 that "document-write" is a better name for this feature. This CL makes the naming change correspondingly. Bug: 841605 Change-Id: Id0a928fd3f6669eb3700736ff5770d4717d2b414 Reviewed-on: https://chromium-review.googlesource.com/1095328 Commit-Queue: Ehsan Karamad <ekaramadchromium.org> Reviewed-by: Ian Clelland <iclellandchromium.org> Reviewed-by: Kent Tamura <tkentchromium.org> Reviewed-by: Nasko Oskov <naskochromium.org> Cr-Commit-Position: refs/heads/master{#566829} -- wpt-commits: a0272053ab1712be6bf6b967ce75797b351001fc wpt-pr: 11463 UltraBlame original commit: 40f42f669a0b67e18bbc3beb3ac706bfb6cbb53a
gecko-dev-updater
pushed a commit
to marco-c/gecko-dev-wordified
that referenced
this pull request
Oct 3, 2019
…nsertion, a=testonly Automatic update from web-platform-testsRename Feature Policy: document-stream-insertion It was proposed here w3c/webappsec-permissions-policy#172 that "document-write" is a better name for this feature. This CL makes the naming change correspondingly. Bug: 841605 Change-Id: Id0a928fd3f6669eb3700736ff5770d4717d2b414 Reviewed-on: https://chromium-review.googlesource.com/1095328 Commit-Queue: Ehsan Karamad <ekaramadchromium.org> Reviewed-by: Ian Clelland <iclellandchromium.org> Reviewed-by: Kent Tamura <tkentchromium.org> Reviewed-by: Nasko Oskov <naskochromium.org> Cr-Commit-Position: refs/heads/master{#566829} -- wpt-commits: a0272053ab1712be6bf6b967ce75797b351001fc wpt-pr: 11463 UltraBlame original commit: 40f42f669a0b67e18bbc3beb3ac706bfb6cbb53a
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This document servers as an explainer of an experimental feature which was most recently committed to chromium codebase. The state of the proposal is not complete as there is still a critical open questions regarding the correct implementation and behavior for cross and same-origin contents.
All suggestions and ideas are most welcomed!