From 2c5c3aa1248d07db60323bbff3f3cd225faf024f Mon Sep 17 00:00:00 2001 From: Raymes Khoury Date: Tue, 10 Oct 2017 16:03:15 +1100 Subject: [PATCH 1/2] Add support for permissions that have an associated Feature Policy This adds support for denying access to permissions which are not allowed in the current context based on an associated Feature Policy. The Feature Name and Default Allowlist of a policy-controlled feature must still be declared in the owning spec. This also removes specific support for the media feature policy which is covered by the more general support. --- index.bs | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/index.bs b/index.bs index 91c848b..d848df0 100644 --- a/index.bs +++ b/index.bs @@ -44,6 +44,11 @@ spec: sensors; urlPrefix: https://w3c.github.io/sensors/# spec: manifest; urlPrefix: https://w3c.github.io/manifest/# type: dfn text: install; url: dfn-install +spec: feature-policy; urlPrefix: https://wicg.github.io/feature-policy/# + type: dfn + text: policy-controlled feature + type: dfn + text: feature name 
@@ -233,6 +238,21 @@ spec: webidl
           and |descriptor|.{{PermissionDescriptor/name}} isn't
           allowed in non-secure contexts, then return {{"denied"}}.
         
+        
  • 
+          If there exists a policy-controlled feature with a
+          feature name that is equal to
+          |descriptor|.{{PermissionDescriptor/name}} and
+          |settings| has an associated `Document` named document,
+          run the following step:
+          
      
+            
    1. 
+              If document is not allowed to use the feature
+              with the feature name
+              |descriptor|.{{PermissionDescriptor/name}}
+              return {{"denied"}}.
+            
      2. 
+          
    
+        
    • 
         
  • 
           If there was a previous invocation of this algorithm with the same
           |descriptor| and |settings|, returning
@@ -786,13 +806,6 @@ spec: webidl
       allowed in non-secure contexts. {{"camera"}} and {{"microphone"}}
       MAY be allowed in non-secure contexts.
     
    
-    
    
-      If the current global object has an associated `Document`,
-      and that {{Document}} is not allowed to use the feature indicated
-      by attribute name <{iframe/allowusermedia}>, then the permission
-      state of any descriptor with a {{PermissionDescriptor/name}} of
-      {{"camera"}} or {{"microphone"}} must be {{"denied"}}.
-    
    
     
    
       
    
         permission descriptor type

From e5f7e854d5e438effd40043031f3352c2ffd620c Mon Sep 17 00:00:00 2001
From: Raymes Khoury 
Date: Mon, 3 Sep 2018 16:54:40 +1000
Subject: [PATCH 2/2] Update to comply with recent FP spec

---
 index.bs | 16 ++++------------
 1 file changed, 4 insertions(+), 12 deletions(-)

diff --git a/index.bs b/index.bs
index d848df0..c52bc4e 100644
--- a/index.bs
+++ b/index.bs
@@ -44,11 +44,6 @@ spec: sensors; urlPrefix: https://w3c.github.io/sensors/#
 spec: manifest; urlPrefix: https://w3c.github.io/manifest/#
     type: dfn
         text: install; url: dfn-install
-spec: feature-policy; urlPrefix: https://wicg.github.io/feature-policy/#
-    type: dfn
-        text: policy-controlled feature
-    type: dfn
-        text: feature name
 
 
    • @@ -239,16 +234,13 @@ spec: webidl
           allowed in non-secure contexts, then return {{"denied"}}.
         
         
  • 
-          If there exists a policy-controlled feature with a
-          feature name that is equal to
-          |descriptor|.{{PermissionDescriptor/name}} and
-          |settings| has an associated `Document` named document,
-          run the following step:
+          If there exists a [=policy-controlled feature=] identified by
+          |descriptor|.{{PermissionDescriptor/name}} and |settings| has an
+          associated `Document` named document, run the following step:
           
      
             
    1. 
               If document is not allowed to use the feature
-              with the feature name
-              |descriptor|.{{PermissionDescriptor/name}}
+              identified by |descriptor|.{{PermissionDescriptor/name}}
               return {{"denied"}}.
             
      2.