Integrate Feature Policy concepts into HTML

This commit introduces the feature policy for Document objects, adds the
'allow' attribute to iframe elements, and reframes 'allowfullscreen',
'allowpaymentrequest' and 'allowusermedia' in terms of feature policy.
Document allow* flags are removed, as they are no longer referenced.

The 'allowed to use' algorithm is also updated to call into the feature
policy 'Is feature enabled' algorithm, and rewritten to take a policy-
controlled feature as an argument rather than an attribute, so that
other specs can also use it to control other features.

Tests:

- web-platform-tests/wpt#10966
- web-platform-tests/wpt@3cc0d89
- web-platform-tests/wpt@9a00e4a
- web-platform-tests/wpt#4625

Author: clelland

source

@@ -4007,6 +4007,22 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
     </ul>
    </dd>
 
+   <dt>Feature Policy</dt>
+
+   <dd>
+    <p>The following terms are defined in <cite>Feature Policy</cite>: <ref spec="FEATUREPOLICY"></p>
+
+    <ul class="brief">
+     <li><dfn data-x="concept-feature-policy" data-x-href="https://wicg.github.io/feature-policy/#feature-policy">feature policy</dfn></li>
+     <li><dfn data-x="concept-container-policy" data-x-href="https://wicg.github.io/feature-policy/#container-policy">container policy</dfn></li>
+     <li><dfn data-x="concept-serialized-feature-policy" data-x-href="https://wicg.github.io/feature-policy/#serialized-feature-policy">serialized feature policy</dfn></li>
+     <li>The <dfn data-x-href="https://wicg.github.io/feature-policy/#initialize-for-document">Initialize document’s feature policy</dfn> algorithm</li>
+     <li>The <dfn data-x-href="https://wicg.github.io/feature-policy/#initialize-from-response">Initialize document’s feature policy from response</dfn> algorithm</li>
+     <li>The <dfn data-x="is-feature-enabled" data-x-href="https://wicg.github.io/feature-policy/#is-feature-enabled">Is feature enabled by policy for origin</dfn> algorithm</li>
+     <li>The <dfn data-x="process-feature-policy-attributes" data-x-href="https://wicg.github.io/feature-policy/#process-feature-policy-attributes">Process feature policy attributes</dfn> algorithm</li>
+    </ul>
+   </dd>
+
 
    <dt>Payment Request API</dt>
 
@@ -9212,6 +9228,10 @@ partial interface <dfn id="document" data-lt="">Document</dfn> {
   containing all of the <span>Content Security Policy</span> objects active for the document. The
   list is empty unless otherwise specified.</p>
 
+  <p>The <code>Document</code> has a <dfn data-x="concept-document-feature-policy" data-export=""
+  data-dfn-for="Document">feature policy</dfn>, which is a <span
+  data-x="concept-feature-policy">feature policy</span>, which is initially empty.</p>
+
   <p>The <code>Document</code> has a <dfn data-dfn-for="Document"
   data-x="concept-document-module-map">module map</dfn>, which is a <span>module map</span>,
   initially empty.</p>
@@ -29438,6 +29458,7 @@ href="?audio">audio&lt;/a> test instead.)&lt;/p></pre>
    <dd><code data-x="attr-iframe-srcdoc">srcdoc</code></dd>
    <dd><code data-x="attr-iframe-name">name</code></dd>
    <dd><code data-x="attr-iframe-sandbox">sandbox</code></dd>
+   <dd><code data-x="attr-iframe-allow">allow</code></dd>
    <dd><code data-x="attr-iframe-allowfullscreen">allowfullscreen</code></dd>
    <dd><code data-x="attr-iframe-allowpaymentrequest">allowpaymentrequest</code></dd>
    <dd><code data-x="attr-iframe-allowusermedia">allowusermedia</code></dd>
@@ -29453,6 +29474,7 @@ interface <dfn>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-iframe-srcdoc">srcdoc</span>;
   [<span>CEReactions</span>] attribute DOMString <span data-x="dom-iframe-name">name</span>;
   [SameObject, PutForwards=<span data-x="dom-DOMTokenList-value">value</span>] readonly attribute <span>DOMTokenList</span> <span data-x="dom-iframe-sandbox">sandbox</span>;
+  [<span>CEReactions</span>] attribute DOMString <span data-x="dom-iframe-allow">allow</span>;
   [<span>CEReactions</span>] attribute boolean <span data-x="dom-iframe-allowFullscreen">allowFullscreen</span>;
   [<span>CEReactions</span>] attribute boolean <span data-x="dom-iframe-allowPaymentRequest">allowPaymentRequest</span>;
   [<span>CEReactions</span>] attribute boolean <span data-x="dom-iframe-allowUserMedia">allowUserMedia</span>;
@@ -29959,13 +29981,30 @@ interface <dfn>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
   </div>
 
 
-  <hr> <!-- ALLOW FULLSCREEN / USER MEDIA -->
+  <hr> <!-- FEATURE POLICY ATTRIBUTES: ALLOW; ALLOW FULLSCREEN / PAYMENT REQUEST / USER MEDIA -->
+
+  <p>The <dfn><code data-x="attr-iframe-allow">allow</code></dfn> attribute, when specified,
+  determines the <span data-x="concept-container-policy">container policy</span> that will be used
+  when the <span data-x="concept-document-feature-policy">feature policy</span> for a
+  <span>Document</span> in the <code>iframe</code>'s <span>nested browsing context</span> is
+  initialized. Its value must be a <span data-x="concept-serialized-feature-policy">serialized
+  feature policy</span>. <ref spec="FEATUREPOLICY">
+
+  <div class="example">
+   <p>In this example, an <code>iframe</code> is used to embed a map from an online navigation
+   service. The <code data-x="attr-iframe-allow">allow</code> attribute is used to enable the
+   Geolocation API within the nested context.</p>
+
+   <pre>&lt;iframe src="https://maps.example.com/" allow="geolocation">&lt;/iframe></pre>
+  </div>
 
   <p>The <dfn><code data-x="attr-iframe-allowfullscreen">allowfullscreen</code></dfn> attribute is a
   <span>boolean attribute</span>. When specified, it indicates that <code>Document</code> objects in
-  the <code>iframe</code> element's <span>browsing context</span> are to be allowed to use <code
-  data-x="dom-element-requestFullscreen">requestFullscreen()</code> (if it's not blocked for other
-  reasons, e.g. there is another ancestor <code>iframe</code> without this attribute set).</p>
+  the <code>iframe</code> element's <span>browsing context</span> will be initialized with a
+  <span data-x="concept-document-feature-policy">feature policy</span> which allows the <code
+  data-x="">fullscreen</code> feature to be used from any <span>origin</span>. This is enforced by
+  the <span data-x="process-feature-policy-attributes">Process feature policy attributes</span>
+  algorithm. <ref spec="FEATUREPOLICY">
 
   <div class="example">
 
@@ -29987,18 +30026,32 @@ interface <dfn>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
   <p>The <dfn><code data-x="attr-iframe-allowpaymentrequest">allowpaymentrequest</code></dfn>
   attribute is a <span>boolean attribute</span>. When specified, it indicates that
   <code>Document</code> objects in the <code>iframe</code> element's <span>browsing context</span>
-  are to be allowed to use the <code>PaymentRequest</code> interface to make payment requests.</p>
+  will be initialized with a <span data-x="concept-document-feature-policy">feature policy</span>
+  which allows the <code data-x="">payment</code> feature to be used to make payment requests from
+  any <span>origin</span>. This is enforced by the <span
+  data-x="process-feature-policy-attributes">Process feature policy attributes</span> algorithm.
+  <ref spec="FEATUREPOLICY">
 
   <p>The <dfn><code data-x="attr-iframe-allowusermedia">allowusermedia</code></dfn> attribute is a
   <span>boolean attribute</span>. When specified, it indicates that <code>Document</code> objects in
-  the <code>iframe</code> element's <span>browsing context</span> are to be allowed to use <code
-  data-x="dom-MediaDevices-getUserMedia">getUserMedia()</code> (if it's not blocked for other
-  reasons, e.g. there is another ancestor <code>iframe</code> without this attribute set).</p>
+  the <code>iframe</code> element's <span>browsing context</span> will be initialized with a <span
+  data-x="concept-document-feature-policy">feature policy</span> which allows the
+  <code data-x="">camera</code> and <code data-x="">microphone</code> features to be used to call
+  <code data-x="dom-MediaDevices-getUserMedia">getUserMedia()</code> from any <span>origin</span>.
+  This is enforced by the <span data-x="process-feature-policy-attributes">Process feature policy
+  attributes</span> algorithm. <ref spec="FEATUREPOLICY">
+
+  <p class="note">None of these attributes, <code data-x="attr-iframe-allow">allow</code>,
+  <code data-x="attr-iframe-allowfullscreen">allowfullscreen</code>, <code
+  data-x="attr-iframe-allowpaymentrequest">allowpaymentrequest</code> or <code
+  data-x="attr-iframe-allowusermedia">allowusermedia</code>, can grant access to a feature in a
+  <span>nested browsing context</span> if the <code>iframe</code> element's <span>node
+  document</span> is not already allowed to use that feature.</p>
 
   <div w-nodev>
    <p id="fullscreen-logic">To determine whether a <code>Document</code> object <var>document</var>
-   is <dfn data-export="">allowed to use</dfn> the feature indicated by attribute name
-   <var>allowattribute</var>, run these steps:</p>
+   is <dfn data-export="">allowed to use</dfn> the policy-controlled-feature <var>feature</var>,
+   run these steps:</p>
 
    <ol>
     <li><p>If <var>document</var> has no <span data-x="concept-document-bc">browsing context</span>,
@@ -30007,117 +30060,24 @@ interface <dfn>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
     <li><p>If <var>document</var>'s <span data-x="concept-document-bc">browsing context</span>'s
     <span>active document</span> is not <var>document</var>, then return false.</p></li>
 
-    <li><p>If <var>document</var>'s <span data-x="concept-document-bc">browsing context</span> is a
-    <span>top-level browsing context</span>, then return true.</p></li>
-
-    <li>
-     <p>If <var>allowattribute</var> is <code
-     data-x="attr-iframe-allowfullscreen">allowfullscreen</code>, then:</p>
-
-     <ol>
-      <li><p>If <var>document</var>'s <span data-x="concept-document-bc">browsing context</span> has
-      a <span>browsing context container</span> that is an <code>iframe</code> element with an
-      <var>allowattribute</var> attribute specified, and whose <span>node document</span> is
-      <span>allowed to use</span> the feature indicated by <var>allowattribute</var>, then return
-      true.</p></li>
-     </ol>
-
-     <p class="big-issue">This step is legacy behavior for the <code
-     data-x="attr-iframe-allowfullscreen">allowfullscreen</code> attribute that should not be used
-     for new features. If possible this will be removed, see <a
-     href="https://github.com/whatwg/html/issues/2143#issuecomment-265514585">issue 2143</a>.</p>
-    </li>
-
-    <li>
-     <p>Otherwise:</p>
-
-     <ol>
-      <li><p>If <var>document</var> has the <var><var>allowattribute</var> flag</var> set, and
-      <var>document</var>'s <span data-x="concept-document-bc">browsing context</span> has a
-      <span>browsing context container</span> that is an <code>iframe</code> element whose
-      <span>node document</span> is <span>allowed to use</span> the feature indicated by
-      <var>allowattribute</var>, then return true.</p></li>
-     </ol>
-    </li>
+    <li><p>If the result of running <span data-x="is-feature-enabled">Is feature enabled in document
+    for origin</span> on <var>feature</var>, <var>document</var>, and <var>document</var>'s
+    <span>origin</span> is "<code data-x="">Enabled</code>", then return true.</p></li>
 
     <li><p>Return false.</p></li>
    </ol>
+  </div>
 
-   <p>To <dfn>set the allow* flags</dfn> for a <code>Document</code> <var>document</var> means to
-   run these steps:</p>
-
-   <ol>
-    <li>
-     <p>If <var>document</var>'s <span data-x="concept-document-bc">browsing context</span> has a
-     <span>browsing context container</span> whose <span>node document</span>'s <span>origin</span>
-     is <span>same origin-domain</span> with <var>document</var>'s <span>origin</span>, then set the
-     <var>allowpaymentrequest flag</var> and the <var>allowusermedia flag</var> on
-     <var>document</var>, and return.</p>
-
-     <p class="note">If <code data-x="dom-document-domain">document.domain</code> has been used for
-     the <span>browsing context container</span>'s <span>node document</span>, then its
-     <span>origin</span> cannot be <span>same origin-domain</span> with <var>document</var>'s
-     <span>origin</span>, because these steps run when <var>document</var> is initialized so it
-     cannot itself yet have used <code data-x="dom-document-domain">document.domain</code>. Note
-     that this is less permissive compared to doing a <span>same origin</span> check instead.</p>
-
-     <div class="example">
-      <p>In this example, the child document is not allowed to use <code>PaymentRequest</code>,
-      despite being <span>same origin-domain</span> at the time the child document tries to use it.
-      At the time the child document is initialized, only the parent document has set <code
-      data-x="dom-document-domain">document.domain</code>, and the child document has not.</p>
-
-      <pre>&lt;!-- https://foo.example.com/a.html -->
-&lt;!doctype html>
-&lt;script>
- document.domain = 'example.com';
-&lt;/script>
-&lt;iframe src=b.html>&lt;/iframe></pre>
-
-      <pre>&lt;!-- https://bar.example.com/b.html -->
-&lt;!doctype html>
-&lt;script>
- document.domain = 'example.com'; // This happens after the document is initialized
- new PaymentRequest(&hellip;); // Not allowed to use
-&lt;/script></pre>
-     </div>
-
-     <div class="example">
-      <p>In this example, the child document <em>is</em> allowed to use <code>PaymentRequest</code>,
-      despite not being <span>same origin-domain</span> at the time the child document tries to use
-      it. At the time the child document is initialized, none of the documents have set <code
-      data-x="dom-document-domain">document.domain</code> yet so <span>same origin-domain</span>
-      falls back to a normal <span>same origin</span> check.</p>
-
-      <pre>&lt;!-- https://example.com/a.html -->
-&lt;!doctype html>
-&lt;iframe src=b.html>&lt;/iframe>
-&lt;!-- The child document is now initialized, before the script below is run. -->
-&lt;script>
- document.domain = 'example.com';
-&lt;/script></pre>
-
-      <pre>&lt;!-- https://example.com/b.html -->
-&lt;!doctype html>
-&lt;script>
- new PaymentRequest(&hellip;); // Allowed to use
-&lt;/script></pre>
-     </div>
-    </li>
-
-    <li><p>If <var>document</var>'s <span data-x="concept-document-bc">browsing context</span> has a
-    <span>browsing context container</span> that is an <code>iframe</code> element, let
-    <var>iframe</var> be that element. Otherwise, return.</p></li>
-
-    <li><p>If <var>iframe</var> has an <code
-    data-x="attr-iframe-allowpaymentrequest">allowpaymentrequest</code> attribute specified, then
-    set the <var>allowpaymentrequest flag</var> on <var>document</var>.</p></li>
+  <p class="warning">Because they only influence the <span
+  data-x="concept-document-feature-policy">feature policy</span> of the <span>nested browsing
+  context</span>'s <span>active document</span>, the <code data-x="attr-iframe-allow">allow</code>,
+  <code data-x="attr-iframe-allowfullscreen">allowfullscreen</code>, <code
+  data-x="attr-iframe-allowpaymentrequest">allowpaymentrequest</code> and <code
+  data-x="attr-iframe-allowusermedia">allowusermedia</code> attributes only take effect when the
+  <span>nested browsing context</span> of the <code>iframe</code> is <span
+  data-x="navigate">navigated</span>. Adding or removing them has no effect on an already-loaded
+  document.</p>
 
-    <li><p>If <var>iframe</var> has an <code
-    data-x="attr-iframe-allowusermedia">allowusermedia</code> attribute specified, then set the
-    <var>allowusermedia flag</var> on <var>document</var>.</p></li>
-   </ol>
-  </div>
 
   <hr> <!-- DIM ATTRIBUTES -->
 
@@ -30151,8 +30111,9 @@ interface <dfn>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
 
   <p>The IDL attributes <dfn><code data-x="dom-iframe-src">src</code></dfn>, <dfn><code
   data-x="dom-iframe-srcdoc">srcdoc</code></dfn>, <dfn><code
-  data-x="dom-iframe-name">name</code></dfn>,and <dfn><code
-  data-x="dom-iframe-sandbox">sandbox</code></dfn> must <span>reflect</span> the respective content
+  data-x="dom-iframe-name">name</code></dfn>, <dfn><code
+  data-x="dom-iframe-sandbox">sandbox</code></dfn>, and <dfn><code
+  data-x="dom-iframe-allow">allow</code></dfn> must <span>reflect</span> the respective content
   attributes of the same name.</p>
 
   <p>The <span data-x="concept-supported-tokens">supported tokens</span> for <code
@@ -77001,7 +76962,8 @@ dictionary <dfn>DragEventInit</dfn> : <span>MouseEventInit</span> {
 
    <li><p><span>Implement the sandboxing</span> for <var>document</var>.</p></li>
 
-   <li><p><span>Set the allow* flags</span> for <var>document</var>.</p></li>
+   <li><p>Execute the <span>Initialize document’s Feature Policy</span> algorithm on
+   <var>document</var>. <ref spec="FEATUREPOLICY"></p></li>
 
    <li><p>Add <var>document</var> to <var>browsingContext</var>'s <span>session
    history</span>.</p></li>
@@ -82370,7 +82332,64 @@ interface <dfn>Location</dfn> { // but see also <a href="#the-location-interface
 
      <li><p><span>Implement the sandboxing</span> for the <code>Document</code>.</p></li>
 
-     <li><p><span>Set the allow* flags</span> for the <code>Document</code>.</p></li>
+     <li>
+       <p>Execute the <span>Initialize document’s Feature Policy from response</span>
+       algorithm on the <code>Document</code> object and the <span
+       data-x="concept-response">response</span> used to generate the document.  <ref
+       spec="FEATUREPOLICY"></p>
+
+       <p class="note">The <span>Initialize document’s Feature Policy from response</span> algorithm
+       makes use of the <code>Document</code>'s <span>origin</span>. If <code
+       data-x="dom-document-domain">document.domain</code> has been used for the <span>browsing
+       context container</span>'s <span>node document</span>, then its <span>origin</span> cannot be
+       <span>same origin-domain</span> with <var>document</var>'s <span>origin</span>, because these
+       steps run when <var>document</var> is initialized, so it cannot itself yet have used <code
+       data-x="dom-document-domain">document.domain</code>. Note that this means that Feature Policy
+       checks are less permissive compared to doing a <span>same origin</span> check instead.</p>
+
+       <div class="example">
+         <p>In this example, the child document is not allowed to use <code>PaymentRequest</code>,
+         despite being <span>same origin-domain</span> at the time the child document tries to use
+	 it. At the time the child document is initialized, only the parent document has set <code
+         data-x="dom-document-domain">document.domain</code>, and the child document has not.</p>
+
+         <pre>&lt;!-- https://foo.example.com/a.html -->
+&lt;!doctype html>
+&lt;script>
+ document.domain = 'example.com';
+&lt;/script>
+&lt;iframe src=b.html>&lt;/iframe></pre>
+
+      <pre>&lt;!-- https://bar.example.com/b.html -->
+&lt;!doctype html>
+&lt;script>
+ document.domain = 'example.com'; // This happens after the document is initialized
+ new PaymentRequest(&hellip;); // Not allowed to use
+&lt;/script></pre>
+       </div>
+
+       <div class="example">
+         <p>In this example, the child document <em>is</em> allowed to use
+	 <code>PaymentRequest</code>, despite not being <span>same origin-domain</span> at the time
+	 the child document tries to use it. At the time the child document is initialized, none of
+	 the documents have set <code data-x="dom-document-domain">document.domain</code> yet so
+	 <span>same origin-domain</span> falls back to a normal <span>same origin</span> check.</p>
+
+         <pre>&lt;!-- https://example.com/a.html -->
+&lt;!doctype html>
+&lt;iframe src=b.html>&lt;/iframe>
+&lt;!-- The child document is now initialized, before the script below is run. -->
+&lt;script>
+ document.domain = 'example.com';
+&lt;/script></pre>
+
+         <pre>&lt;!-- https://example.com/b.html -->
+&lt;!doctype html>
+&lt;script>
+ new PaymentRequest(&hellip;); // Allowed to use
+&lt;/script></pre>
+       </div>
+     </li>
 
      <li>
       <p>If <var>response</var> has a `<code data-x="http-refresh">Refresh</code>` header, then:</p>
@@ -120140,6 +120159,9 @@ INSERT INTERFACES HERE
    <dt id="refsEXIF">[EXIF]</dt>
    <dd>(Non-normative) <cite><a href="https://www.jeita.or.jp/cgi-bin/standard_e/list.cgi?cateid=1&subcateid=4">Exchangeable image file format</a></cite>. JEITA.</dd>
 
+   <dt id="refsFEATUREPOLICY">[FEATUREPOLICY]</dt>
+   <dd><cite><a href="https://wicg.github.io/feature-policy/">Feature Policy</a></cite>, I. Clelland, WICG.</dd>
+
    <dt id="refsFETCH">[FETCH]</dt>
    <dd><cite><a href="https://fetch.spec.whatwg.org/">Fetch</a></cite>, A. van Kesteren. WHATWG.</dd>