Emit feature policy on subrequests & validate reflected policy

[igrigorik]

1. User requests foo.com
2. Server responds with...

  200 OK
  Content-Type: text/html
  Feature-Policy: {"disable":["sync-script"]}
  ...

   <script src=/oops.js> 
   <script src=/app.js async> 

• The browser will skip executing "oops.js" because it's a blocking script.
• The browser will initiate a request for "app.js" and advertise the set Feature-Policy...

GET /app.js
Feature-Policy: {"disable":["sync-script"]}

• The server must (?) reflect back the policy in it's response
  • The policy can be a superset of the requested policy.
  • If the response policy is not reflected, fail (?) the request - i.e. script is not executed, client can abort the request (?).

---

Beginnings of this logic in https://igrigorik.github.io/feature-policy/#set-request-policy

[igrigorik]

After talking about this some more:

• Early feedback on similar mechanisms (embedded CSP) is ~meh: reflecting the policy creates a lot of complications for the endpoints because they now need to "be smart" at the edge; endpoints are unlikely to reflect the policy.
• "Enforcement" is independent of reflected policy anyway: if a feature is disabled it'll cause an error if used; there is no need to rely on reflected header.

It may still make sense to advertise the active policy in the feature, purely as an FYI, but I think this can be safely moved into the v-next bucket. Closing, we can revisit once and if we get more demand for this.