Skip to content

Commit

Permalink
Integrate Feature Policy concepts into HTML
Browse files Browse the repository at this point in the history 
This commit introduces the feature policy for Document objects, adds the
'allow' attribute to iframe elements, and reframes 'allowfullscreen',
'allowpaymentrequest' and 'allowusermedia' in terms of feature policy.
Document allow* flags are removed, as they are no longer referenced.

The 'allowed to use' algorithm is also updated to call into the feature
policy 'Is feature enabled' algorithm, and rewritten to take a policy-
controlled feature as an argument rather than an attribute, so that
other specs can also use it to control other features.

Tests:

- web-platform-tests/wpt#10966
- web-platform-tests/wpt@3cc0d89
- web-platform-tests/wpt@9a00e4a
- web-platform-tests/wpt#4625
  • Loading branch information
@clelland
clelland authored and Alice Boxhall committed Jan 7, 2019
1 parent 374f5fd commit 3a95b0a
Showing 1 changed file with 142 additions and 120 deletions.
262 changes: 142 additions & 120 deletions source
View file
Expand Up @@ -4007,6 +4007,22 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
</ul>
</dd>

<dt>Feature Policy</dt>

<dd>
<p>The following terms are defined in <cite>Feature Policy</cite>: <ref spec="FEATUREPOLICY"></p>

<ul class="brief">
<li><dfn data-x="concept-feature-policy" data-x-href="https://wicg.github.io/feature-policy/#feature-policy">feature policy</dfn></li>
<li><dfn data-x="concept-container-policy" data-x-href="https://wicg.github.io/feature-policy/#container-policy">container policy</dfn></li>
<li><dfn data-x="concept-serialized-feature-policy" data-x-href="https://wicg.github.io/feature-policy/#serialized-feature-policy">serialized feature policy</dfn></li>
<li>The <dfn data-x-href="https://wicg.github.io/feature-policy/#initialize-for-document">Initialize document’s feature policy</dfn> algorithm</li>
<li>The <dfn data-x-href="https://wicg.github.io/feature-policy/#initialize-from-response">Initialize document’s feature policy from response</dfn> algorithm</li>
<li>The <dfn data-x="is-feature-enabled" data-x-href="https://wicg.github.io/feature-policy/#is-feature-enabled">Is feature enabled by policy for origin</dfn> algorithm</li>
<li>The <dfn data-x="process-feature-policy-attributes" data-x-href="https://wicg.github.io/feature-policy/#process-feature-policy-attributes">Process feature policy attributes</dfn> algorithm</li>
</ul>
</dd>


<dt>Payment Request API</dt>

Expand Down Expand Up @@ -9212,6 +9228,10 @@ partial interface <dfn id="document" data-lt="">Document</dfn> {
containing all of the <span>Content Security Policy</span> objects active for the document. The
list is empty unless otherwise specified.</p>

<p>The <code>Document</code> has a <dfn data-x="concept-document-feature-policy" data-export=""
data-dfn-for="Document">feature policy</dfn>, which is a <span
data-x="concept-feature-policy">feature policy</span>, which is initially empty.</p>

<p>The <code>Document</code> has a <dfn data-dfn-for="Document"
data-x="concept-document-module-map">module map</dfn>, which is a <span>module map</span>,
initially empty.</p>
Expand Down Expand Up @@ -29440,6 +29460,7 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
<dd><code data-x="attr-iframe-srcdoc">srcdoc</code></dd>
<dd><code data-x="attr-iframe-name">name</code></dd>
<dd><code data-x="attr-iframe-sandbox">sandbox</code></dd>
<dd><code data-x="attr-iframe-allow">allow</code></dd>
<dd><code data-x="attr-iframe-allowfullscreen">allowfullscreen</code></dd>
<dd><code data-x="attr-iframe-allowpaymentrequest">allowpaymentrequest</code></dd>
<dd><code data-x="attr-iframe-allowusermedia">allowusermedia</code></dd>
Expand All @@ -29455,6 +29476,7 @@ interface <dfn>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
[<span>CEReactions</span>] attribute DOMString <span data-x="dom-iframe-srcdoc">srcdoc</span>;
[<span>CEReactions</span>] attribute DOMString <span data-x="dom-iframe-name">name</span>;
[SameObject, PutForwards=<span data-x="dom-DOMTokenList-value">value</span>] readonly attribute <span>DOMTokenList</span> <span data-x="dom-iframe-sandbox">sandbox</span>;
[<span>CEReactions</span>] attribute DOMString <span data-x="dom-iframe-allow">allow</span>;
[<span>CEReactions</span>] attribute boolean <span data-x="dom-iframe-allowFullscreen">allowFullscreen</span>;
[<span>CEReactions</span>] attribute boolean <span data-x="dom-iframe-allowPaymentRequest">allowPaymentRequest</span>;
[<span>CEReactions</span>] attribute boolean <span data-x="dom-iframe-allowUserMedia">allowUserMedia</span>;
Expand Down Expand Up @@ -29961,13 +29983,30 @@ interface <dfn>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
</div>


<hr> <!-- ALLOW FULLSCREEN / USER MEDIA -->
<hr> <!-- FEATURE POLICY ATTRIBUTES: ALLOW; ALLOW FULLSCREEN / PAYMENT REQUEST / USER MEDIA -->

<p>The <dfn><code data-x="attr-iframe-allow">allow</code></dfn> attribute, when specified,
determines the <span data-x="concept-container-policy">container policy</span> that will be used
when the <span data-x="concept-document-feature-policy">feature policy</span> for a
<span>Document</span> in the <code>iframe</code>'s <span>nested browsing context</span> is
initialized. Its value must be a <span data-x="concept-serialized-feature-policy">serialized
feature policy</span>. <ref spec="FEATUREPOLICY">

<div class="example">
<p>In this example, an <code>iframe</code> is used to embed a map from an online navigation
service. The <code data-x="attr-iframe-allow">allow</code> attribute is used to enable the
Geolocation API within the nested context.</p>

<pre>&lt;iframe src="https://maps.example.com/" allow="geolocation">&lt;/iframe></pre>
</div>

<p>The <dfn><code data-x="attr-iframe-allowfullscreen">allowfullscreen</code></dfn> attribute is a
<span>boolean attribute</span>. When specified, it indicates that <code>Document</code> objects in
the <code>iframe</code> element's <span>browsing context</span> are to be allowed to use <code
data-x="dom-element-requestFullscreen">requestFullscreen()</code> (if it's not blocked for other
reasons, e.g. there is another ancestor <code>iframe</code> without this attribute set).</p>
the <code>iframe</code> element's <span>browsing context</span> will be initialized with a
<span data-x="concept-document-feature-policy">feature policy</span> which allows the <code
data-x="">fullscreen</code> feature to be used from any <span>origin</span>. This is enforced by
the <span data-x="process-feature-policy-attributes">Process feature policy attributes</span>
algorithm. <ref spec="FEATUREPOLICY">

<div class="example">

Expand All @@ -29989,18 +30028,32 @@ interface <dfn>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
<p>The <dfn><code data-x="attr-iframe-allowpaymentrequest">allowpaymentrequest</code></dfn>
attribute is a <span>boolean attribute</span>. When specified, it indicates that
<code>Document</code> objects in the <code>iframe</code> element's <span>browsing context</span>
are to be allowed to use the <code>PaymentRequest</code> interface to make payment requests.</p>
will be initialized with a <span data-x="concept-document-feature-policy">feature policy</span>
which allows the <code data-x="">payment</code> feature to be used to make payment requests from
any <span>origin</span>. This is enforced by the <span
data-x="process-feature-policy-attributes">Process feature policy attributes</span> algorithm.
<ref spec="FEATUREPOLICY">

<p>The <dfn><code data-x="attr-iframe-allowusermedia">allowusermedia</code></dfn> attribute is a
<span>boolean attribute</span>. When specified, it indicates that <code>Document</code> objects in
the <code>iframe</code> element's <span>browsing context</span> are to be allowed to use <code
data-x="dom-MediaDevices-getUserMedia">getUserMedia()</code> (if it's not blocked for other
reasons, e.g. there is another ancestor <code>iframe</code> without this attribute set).</p>
the <code>iframe</code> element's <span>browsing context</span> will be initialized with a <span
data-x="concept-document-feature-policy">feature policy</span> which allows the
<code data-x="">camera</code> and <code data-x="">microphone</code> features to be used to call
<code data-x="dom-MediaDevices-getUserMedia">getUserMedia()</code> from any <span>origin</span>.
This is enforced by the <span data-x="process-feature-policy-attributes">Process feature policy
attributes</span> algorithm. <ref spec="FEATUREPOLICY">

<p class="note">None of these attributes, <code data-x="attr-iframe-allow">allow</code>,
<code data-x="attr-iframe-allowfullscreen">allowfullscreen</code>, <code
data-x="attr-iframe-allowpaymentrequest">allowpaymentrequest</code> or <code
data-x="attr-iframe-allowusermedia">allowusermedia</code>, can grant access to a feature in a
<span>nested browsing context</span> if the <code>iframe</code> element's <span>node
document</span> is not already allowed to use that feature.</p>

<div w-nodev>
<p id="fullscreen-logic">To determine whether a <code>Document</code> object <var>document</var>
is <dfn data-export="">allowed to use</dfn> the feature indicated by attribute name
<var>allowattribute</var>, run these steps:</p>
is <dfn data-export="">allowed to use</dfn> the policy-controlled-feature <var>feature</var>,
run these steps:</p>

<ol>
<li><p>If <var>document</var> has no <span data-x="concept-document-bc">browsing context</span>,
Expand All @@ -30009,117 +30062,24 @@ interface <dfn>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
<li><p>If <var>document</var>'s <span data-x="concept-document-bc">browsing context</span>'s
<span>active document</span> is not <var>document</var>, then return false.</p></li>

<li><p>If <var>document</var>'s <span data-x="concept-document-bc">browsing context</span> is a
<span>top-level browsing context</span>, then return true.</p></li>

<li>
<p>If <var>allowattribute</var> is <code
data-x="attr-iframe-allowfullscreen">allowfullscreen</code>, then:</p>

<ol>
<li><p>If <var>document</var>'s <span data-x="concept-document-bc">browsing context</span> has
a <span>browsing context container</span> that is an <code>iframe</code> element with an
<var>allowattribute</var> attribute specified, and whose <span>node document</span> is
<span>allowed to use</span> the feature indicated by <var>allowattribute</var>, then return
true.</p></li>
</ol>

<p class="big-issue">This step is legacy behavior for the <code
data-x="attr-iframe-allowfullscreen">allowfullscreen</code> attribute that should not be used
for new features. If possible this will be removed, see <a
href="https://github.com/whatwg/html/issues/2143#issuecomment-265514585">issue 2143</a>.</p>
</li>

<li>
<p>Otherwise:</p>

<ol>
<li><p>If <var>document</var> has the <var><var>allowattribute</var> flag</var> set, and
<var>document</var>'s <span data-x="concept-document-bc">browsing context</span> has a
<span>browsing context container</span> that is an <code>iframe</code> element whose
<span>node document</span> is <span>allowed to use</span> the feature indicated by
<var>allowattribute</var>, then return true.</p></li>
</ol>
</li>
<li><p>If the result of running <span data-x="is-feature-enabled">Is feature enabled in document
for origin</span> on <var>feature</var>, <var>document</var>, and <var>document</var>'s
<span>origin</span> is "<code data-x="">Enabled</code>", then return true.</p></li>

<li><p>Return false.</p></li>
</ol>
</div>

<p>To <dfn>set the allow* flags</dfn> for a <code>Document</code> <var>document</var> means to
run these steps:</p>

<ol>
<li>
<p>If <var>document</var>'s <span data-x="concept-document-bc">browsing context</span> has a
<span>browsing context container</span> whose <span>node document</span>'s <span>origin</span>
is <span>same origin-domain</span> with <var>document</var>'s <span>origin</span>, then set the
<var>allowpaymentrequest flag</var> and the <var>allowusermedia flag</var> on
<var>document</var>, and return.</p>

<p class="note">If <code data-x="dom-document-domain">document.domain</code> has been used for
the <span>browsing context container</span>'s <span>node document</span>, then its
<span>origin</span> cannot be <span>same origin-domain</span> with <var>document</var>'s
<span>origin</span>, because these steps run when <var>document</var> is initialized so it
cannot itself yet have used <code data-x="dom-document-domain">document.domain</code>. Note
that this is less permissive compared to doing a <span>same origin</span> check instead.</p>

<div class="example">
<p>In this example, the child document is not allowed to use <code>PaymentRequest</code>,
despite being <span>same origin-domain</span> at the time the child document tries to use it.
At the time the child document is initialized, only the parent document has set <code
data-x="dom-document-domain">document.domain</code>, and the child document has not.</p>

<pre>&lt;!-- https://foo.example.com/a.html -->
&lt;!doctype html>
&lt;script>
document.domain = 'example.com';
&lt;/script>
&lt;iframe src=b.html>&lt;/iframe></pre>

<pre>&lt;!-- https://bar.example.com/b.html -->
&lt;!doctype html>
&lt;script>
document.domain = 'example.com'; // This happens after the document is initialized
new PaymentRequest(&hellip;); // Not allowed to use
&lt;/script></pre>
</div>

<div class="example">
<p>In this example, the child document <em>is</em> allowed to use <code>PaymentRequest</code>,
despite not being <span>same origin-domain</span> at the time the child document tries to use
it. At the time the child document is initialized, none of the documents have set <code
data-x="dom-document-domain">document.domain</code> yet so <span>same origin-domain</span>
falls back to a normal <span>same origin</span> check.</p>

<pre>&lt;!-- https://example.com/a.html -->
&lt;!doctype html>
&lt;iframe src=b.html>&lt;/iframe>
&lt;!-- The child document is now initialized, before the script below is run. -->
&lt;script>
document.domain = 'example.com';
&lt;/script></pre>

<pre>&lt;!-- https://example.com/b.html -->
&lt;!doctype html>
&lt;script>
new PaymentRequest(&hellip;); // Allowed to use
&lt;/script></pre>
</div>
</li>

<li><p>If <var>document</var>'s <span data-x="concept-document-bc">browsing context</span> has a
<span>browsing context container</span> that is an <code>iframe</code> element, let
<var>iframe</var> be that element. Otherwise, return.</p></li>

<li><p>If <var>iframe</var> has an <code
data-x="attr-iframe-allowpaymentrequest">allowpaymentrequest</code> attribute specified, then
set the <var>allowpaymentrequest flag</var> on <var>document</var>.</p></li>
<p class="warning">Because they only influence the <span
data-x="concept-document-feature-policy">feature policy</span> of the <span>nested browsing
context</span>'s <span>active document</span>, the <code data-x="attr-iframe-allow">allow</code>,
<code data-x="attr-iframe-allowfullscreen">allowfullscreen</code>, <code
data-x="attr-iframe-allowpaymentrequest">allowpaymentrequest</code> and <code
data-x="attr-iframe-allowusermedia">allowusermedia</code> attributes only take effect when the
<span>nested browsing context</span> of the <code>iframe</code> is <span
data-x="navigate">navigated</span>. Adding or removing them has no effect on an already-loaded
document.</p>

<li><p>If <var>iframe</var> has an <code
data-x="attr-iframe-allowusermedia">allowusermedia</code> attribute specified, then set the
<var>allowusermedia flag</var> on <var>document</var>.</p></li>
</ol>
</div>

<hr> <!-- DIM ATTRIBUTES -->

Expand Down Expand Up @@ -30153,8 +30113,9 @@ interface <dfn>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {

<p>The IDL attributes <dfn><code data-x="dom-iframe-src">src</code></dfn>, <dfn><code
data-x="dom-iframe-srcdoc">srcdoc</code></dfn>, <dfn><code
data-x="dom-iframe-name">name</code></dfn>,and <dfn><code
data-x="dom-iframe-sandbox">sandbox</code></dfn> must <span>reflect</span> the respective content
data-x="dom-iframe-name">name</code></dfn>, <dfn><code
data-x="dom-iframe-sandbox">sandbox</code></dfn>, and <dfn><code
data-x="dom-iframe-allow">allow</code></dfn> must <span>reflect</span> the respective content
attributes of the same name.</p>

<p>The <span data-x="concept-supported-tokens">supported tokens</span> for <code
Expand Down Expand Up @@ -77020,7 +76981,8 @@ dictionary <dfn>DragEventInit</dfn> : <span>MouseEventInit</span> {

<li><p><span>Implement the sandboxing</span> for <var>document</var>.</p></li>

<li><p><span>Set the allow* flags</span> for <var>document</var>.</p></li>
<li><p>Execute the <span>Initialize document’s Feature Policy</span> algorithm on
<var>document</var>. <ref spec="FEATUREPOLICY"></p></li>

<li><p>Add <var>document</var> to <var>browsingContext</var>'s <span>session
history</span>.</p></li>
Expand Down Expand Up @@ -82389,7 +82351,64 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface

<li><p><span>Implement the sandboxing</span> for the <code>Document</code>.</p></li>

<li><p><span>Set the allow* flags</span> for the <code>Document</code>.</p></li>
<li>
<p>Execute the <span>Initialize document’s Feature Policy from response</span>
algorithm on the <code>Document</code> object and the <span
data-x="concept-response">response</span> used to generate the document. <ref
spec="FEATUREPOLICY"></p>

<p class="note">The <span>Initialize document’s Feature Policy from response</span> algorithm
makes use of the <code>Document</code>'s <span>origin</span>. If <code
data-x="dom-document-domain">document.domain</code> has been used for the <span>browsing
context container</span>'s <span>node document</span>, then its <span>origin</span> cannot be
<span>same origin-domain</span> with <var>document</var>'s <span>origin</span>, because these
steps run when <var>document</var> is initialized, so it cannot itself yet have used <code
data-x="dom-document-domain">document.domain</code>. Note that this means that Feature Policy
checks are less permissive compared to doing a <span>same origin</span> check instead.</p>

<div class="example">
<p>In this example, the child document is not allowed to use <code>PaymentRequest</code>,
despite being <span>same origin-domain</span> at the time the child document tries to use
it. At the time the child document is initialized, only the parent document has set <code
data-x="dom-document-domain">document.domain</code>, and the child document has not.</p>

<pre>&lt;!-- https://foo.example.com/a.html -->
&lt;!doctype html>
&lt;script>
document.domain = 'example.com';
&lt;/script>
&lt;iframe src=b.html>&lt;/iframe></pre>

<pre>&lt;!-- https://bar.example.com/b.html -->
&lt;!doctype html>
&lt;script>
document.domain = 'example.com'; // This happens after the document is initialized
new PaymentRequest(&hellip;); // Not allowed to use
&lt;/script></pre>
</div>

<div class="example">
<p>In this example, the child document <em>is</em> allowed to use
<code>PaymentRequest</code>, despite not being <span>same origin-domain</span> at the time
the child document tries to use it. At the time the child document is initialized, none of
the documents have set <code data-x="dom-document-domain">document.domain</code> yet so
<span>same origin-domain</span> falls back to a normal <span>same origin</span> check.</p>

<pre>&lt;!-- https://example.com/a.html -->
&lt;!doctype html>
&lt;iframe src=b.html>&lt;/iframe>
&lt;!-- The child document is now initialized, before the script below is run. -->
&lt;script>
document.domain = 'example.com';
&lt;/script></pre>

<pre>&lt;!-- https://example.com/b.html -->
&lt;!doctype html>
&lt;script>
new PaymentRequest(&hellip;); // Allowed to use
&lt;/script></pre>
</div>
</li>

<li>
<p>If <var>response</var> has a `<code data-x="http-refresh">Refresh</code>` header, then:</p>
Expand Down Expand Up @@ -120164,6 +120183,9 @@ INSERT INTERFACES HERE
<dt id="refsEXIF">[EXIF]</dt>
<dd>(Non-normative) <cite><a href="https://www.jeita.or.jp/cgi-bin/standard_e/list.cgi?cateid=1&subcateid=4">Exchangeable image file format</a></cite>. JEITA.</dd>

<dt id="refsFEATUREPOLICY">[FEATUREPOLICY]</dt>
<dd><cite><a href="https://wicg.github.io/feature-policy/">Feature Policy</a></cite>, I. Clelland, WICG.</dd>

<dt id="refsFETCH">[FETCH]</dt>
<dd><cite><a href="https://fetch.spec.whatwg.org/">Fetch</a></cite>, A. van Kesteren. WHATWG.</dd>

Expand Down

0 comments on commit 3a95b0a

Please sign in to comment.