More feature policy ideas

[AshleyScirra]

I think there is opportunity to use this feature to enforce best practices in web development and disable deprecated/inefficient/superseded features. This could help create a sort of "strict mode for HTML", whereby developers can set a HTTP header to encourage sensible design patterns. The no-docwrite is a good example of this. Here are some other ideas (from https://discourse.wicg.io/t/proposal-sandbox-policy/1414):

• force-strict-mode: treat all scripts as if they had "use strict"; at the top, eliminating "sloppy mode" from the whole document
• no-sync-storage to disable local/session storage (the old synchronous APIs superseded by IndexedDB) - the Chrome Web Store already implements this
• no-prefixed-features - disable all prefixes, forcing standards-compliant uses only
• no-nonstandard-features - similar to no prefixes, but to turn off all features not actually in the spec, e.g. window.orientation (replaced by screen.orientation), node.innerText (only exists for compatibility reasons), etc.

[ghost]

The first one is redundant since modules will be strict by default.

[clelland]

@adria2, I think this proposal is to apply strict mode uniformly to all scripts included in a page; not specifically for module code.

[laukstein]

What about policy to allow/disallow

1. web-storage (like localStorage, sessionStorage, Indexed DB, window.Cache (from Service Worker))
2. device viewport optimization (devices may auto apply different scaling optimizations for pages)

[Jamesernator]

Given feature policy seems to be about controlling access to features rather than changing them I think force-strict-mode would be better replaced with require-strict-mode which would prevent all forms of script execution that invokes tries to run non-strict code. This would include <script> but would also include things like importScripts(), eval, new Function, new Worker and so on.