Add permissions patches

spec.bs

@@ -74,6 +74,8 @@ spec: html; urlPrefix: https://html.spec.whatwg.org/multipage/
         text: cross-origin isolation mode; url: bcg-cross-origin-isolation
       for: cross-origin isolation mode
         text: none; url:cross-origin-isolation-none
+    urlPrefix: document-lifecycle.html
+      text: create and initialize a Document object; url: initialise-the-document-object
     urlPrefix: browsing-the-web.html
       text: create navigation params by fetching; url: create-navigation-params-by-fetching
       text: document state; url: she-document-state
@@ -83,6 +85,7 @@ spec: html; urlPrefix: https://html.spec.whatwg.org/multipage/
       for: navigation params
         text: response; url: navigation-params-response
         text: navigable; url: navigation-params-navigable
+        text: origin; url: navigation-params-origin
       for: history handling behavior
         text: replace; url: hh-replace
       for: document state
@@ -109,6 +112,21 @@ spec: html; urlPrefix: https://html.spec.whatwg.org/multipage/
     urlPrefix: nav-history-apis.html
       for: Window
         text: navigable; url: window-navigable
+    urlPrefix: webappapis.html
+      for: environment
+        text: target browsing context; url: concept-environment-target-browsing-context
+    urlPrefix: document-sequences.html
+      for: browsing context
+        text: active document; url: active-document
+spec: fetch; urlPrefix: https://fetch.spec.whatwg.org/
+  type: dfn
+    text: queue a cross-origin embedder policy CORP violation report; url: queue-a-cross-origin-embedder-policy-corp-violation-report
+    text: should request be blocked due to a bad port; url: block-bad-port
+spec: mixed-content; urlPrefix: https://w3c.github.io/webappsec-mixed-content/
+  type: dfn
+    text: should fetching request be blocked as mixed content; url: should-block-fetch
+spec: CSP; urlPrefix: https://w3c.github.io/webappsec-csp/
+  type: dfn
     urlPrefix: interactive-elements.html
       text: accesskey attribute command; url: using-the-accesskey-attribute-to-define-a-command-on-other-elements
       text: previously focused element; url: previously-focused-element
@@ -125,6 +143,18 @@ spec: RFC8941; urlPrefix: https://www.rfc-editor.org/rfc/rfc8941.html
     text: structured header; url: #section-1
     for: structured header
       text: token; url: name-tokens
+spec: permissions-policy; urlPrefix: https://w3c.github.io/webappsec-permissions-policy
+  type: dfn
+    text: Create a Permissions Policy for a navigable; url: algo-create-for-navigable
+    text: Create a Permissions Policy for a navigable from response; url: algo-create-from-response
+    text: Define an inherited policy for feature in container at origin; url: define-inherited-policy-in-container
+    text: default allowlist; url: policy-controlled-feature-default-allowlist
+    text: ASCII-serialized policy directive; url: serialized-policy-directive
+    text: inherited policy; url: inherited-policy
+    text: serialized permissions policy; url: serialized-permissions-policy
+    for: permissions
+      text: matches; url: matches
+      text: permissions policy; url: permissions-policy
 spec: CSP; urlPrefix: https://w3c.github.io/webappsec-csp/
   type: dfn
     text: directive value; url: directive-value
@@ -254,6 +284,7 @@ dl, dd {
  <dd>[=Global attributes=]</dd>
  <dd><code>[=width=]</code> — Horizontal dimension</dd>
  <dd><code>[=height=]</code> — Vertical dimension</dd>
+ <dd><code><{fencedframe/allow}></code> — [=permissions/Permissions policy=] to be applied to the <{fencedframe}>'s contents</dd>
  <dt>[=Accessibility considerations=]:</dt>
  <dd><p class=XXX>TODO</p></dd>
  <dt>[=DOM interface=]:</dt>
@@ -266,6 +297,7 @@ interface HTMLFencedFrameElement : HTMLElement {
   [CEReactions] attribute FencedFrameConfig? config;
   [CEReactions] attribute DOMString width;
   [CEReactions] attribute DOMString height;
+  [CEReactions] attribute DOMString allow;
 };
 </xmp>
 </dd>
@@ -340,6 +372,14 @@ The <dfn attribute for=HTMLFencedFrameElement>config</dfn> IDL attribute getter
   1. <span class=XXX>TODO</span>
 </div>
 
+The <dfn element-attr for=fencedframe>allow</dfn> attribute, when specified, determines the [=fenced
+container policy=] that will be used when the [=Document/permissions policy=] for a {{Document}} in
+the <{fencedframe}>'s [=fenced navigable container/fenced navigable=] is initialized. Its value must
+be a [=serialized permissions policy=]. [[!PERMISSIONS-POLICY]]
+
+The IDL attribute <dfn attribute for=HTMLFencedFrameElement>allow</dfn> must [=reflect=] the
+respective content attribute of the same name.
+
 <h3 id=dimension-attributes>Dimension attributes</h3>
 
 This section details monkeypatches to [[!HTML]]'s <a
@@ -617,6 +657,9 @@ A <dfn export>fenced frame config</dfn> is a struct with the following [=struct/
 
   : <dfn>embedder shared storage context</dfn>
   :: null, or an [=fencedframetype/embedder shared storage context=]
+
+  : <dfn>required permissions to load</dfn>
+  :: a [=list=] of [=policy-controlled features=]
 </dl>
 
 <h4 id=fenced-frame-config-instance-struct>The [=fenced frame config instance=] [=struct=]</h4>
@@ -657,6 +700,9 @@ A <dfn export>fenced frame config instance</dfn> is a struct with the following
 
   : <dfn>embedder shared storage context</dfn>
   :: null, or an [=fencedframetype/embedder shared storage context=]
+
+  : <dfn>required permissions to load</dfn>
+  :: a [=list=] of [=policy-controlled features=]
 </dl>
 
 <div algorithm>
@@ -724,6 +770,9 @@ A <dfn export>fenced frame config instance</dfn> is a struct with the following
 
     : [=fenced frame config instance/embedder shared storage context=]
     :: |config|'s [=fenced frame config/embedder shared storage context=]
+
+    : [=fenced frame config instance/required permissions to load=]
+    :: |config|'s [=fenced frame config/required permissions to load=]
 </div>
 
 Each [=navigable=] has a <dfn for=navigable>fenced frame config instance</dfn>, which is a [=fenced
@@ -1010,8 +1059,6 @@ Note: This is because we need to ensure that we do not leak <var ignore>creator<
 document's referrer|referrer=], [=Document/origin=], [=creator base url=], [=Document/policy
 container=], across the fenced frame boundary.
 
-Issue: Ensure we are doing the right thing for [=Document/permissions policy=].
-
 <h3 id=nested-traversables>Nested traversables</h3>
 
 <h4 id=nested-traversables-intro>Introduction</h4>
@@ -1717,3 +1764,147 @@ specification is printed below:
   /fenced-frame/cspee.https.html
   /fenced-frame/embedder-csp-not-propagate.https.html
 </wpt>
+
+<h3 id=permissions-policy-changes>Permissions Policies</h3>
+
+Permissions are granted to {{Document}} inside of <{fencedframe}>s through the
+{{FencedFrameConfig}} object and its associated internal [=fencedframeconfig/config=], which defines
+the permissions [=fenced frame config/required permissions to load|required=] for a <{fencedframe}>
+to navigate successfully. Specifically, a {{Document}} inside of a <{fencedframe}> can only load if
+it has opted into all of the [=fenced frame config/required permissions to load=].
+
+<h4 id=fenced-container-policies>Fenced container policies</h4>
+
+TODO: define <dfn>fenced container policy</dfn> here, which is current referenced by
+<{fencedframe/allow}>.
+
+<h4 id=permissions-policy-patches>Algorithm patches</h4>
+
+<div algorithm=create-permissions-policy>
+  Modify the definition of [=Create a Permissions Policy for a navigable=] to read:
+
+  Given null or an element (|container|), an [=origin=] (<var ignore>origin</var>), and an optional
+  [=list=] of [=policy-controlled features=] (|required features|), this algorithm returns a new
+  [=Document/permissions policy=].
+
+  Rewrite step 1 of the algorithm to read:
+
+  1. [=Assert=]: if not null, |container| is either a [=navigable container=] or a [=fenced
+     navigable container=].
+
+  Add a new step after step 1 that reads:
+
+  2. [=Assert=]: if |container| is not a [=fenced navigable container=], |required features| is not
+     given.
+
+  Rewrite step 4 to read:
+
+  4. If |container| is a [=fenced navigable container=], then for each |feature| supported:
+
+       1. If |feature| [=list/exists=] in |required features|, set |inherited policy|[|feature|] to
+          "`Enabled`".
+
+          Otherwise, set |inherited policy|[|feature|] to "`Disabled`".
+
+     Otherwise, for each |feature| supported,
+
+       1. Let |isInherited| be the result of running [=Define an inherited policy for feature in
+          container at origin=] on |feature|, |container| and <var ignore>origin</var>.
+
+       2. Set |inherited policy|[|feature|] to |isInherited|.
+</div>
+
+<div algorithm=allow-attribute-fenced-frame>
+  Rename the <a href=https://w3c.github.io/webappsec-permissions-policy/#iframe-allow-attribute>The
+  `allow` attribute of the `iframe` element</a> section to "The `allow` attribute of the `iframe`
+  and `fencedframe` element", and rewrite the section to read:
+
+  <{iframe}> and <{fencedframe}> elements have an respective `allow` attributes (<{iframe}>:
+  <{iframe/allow}>; <{fencedframe}>: <{fencedframe/allow}>), which contain an [=ASCII-serialized
+  policy directive=].
+
+  The allowlist for the features named in the attribute may be empty; in that case, the default
+  value for the allowlist is "`src`", which represents the origin of the URL in the iframe’s src
+  attribute, or the fencedframe's [=fenced frame config=].
+
+  When not empty, the <{iframe/allow}> attribute will result in adding an allowlist for each
+  recognized feature to the iframe element’s content navigable's container policy or the fencedframe
+  element's [=fenced navigable container/fenced navigable=]'s container policy, when it is
+  constructed.
+</div>
+
+<div algorithm=create-permissions-policy-response>
+  Modify the definition of [=Create a Permissions Policy for a navigable from response=] to read:
+
+  Given null, a [=navigable container=], or a [=fenced navigable container=] (|container|), an
+  [=origin=] (|origin|), a [=response=] (<var ignore>response</var>), and null or a
+  [=list=] of [=features=] (|required features|), this algorithm returns a new
+  [=Document/permissions policy=].
+
+  Modify step 1 of the algorithm to read:
+  1. Let <var ignore>policy</var> be the result of running
+    [=Create a Permissions Policy for a navigable=] given |container|, |origin|, and
+    |required features|.
+</div>
+
+<div algorithm=shared-document-creation-changes>
+  Modify the [=create and initialize a Document object=] algorithm. Rewrite step 3 to read:
+
+  3. Let <var ignore>permissionsPolicy</var> be the result of [=Create a Permissions Policy for a
+    navigable from response|creating a permissions policy from a response=] given
+    |navigationParams|'s [=navigable=]'s [=navigable container|container=], |navigationParams|'s
+    [=navigation params/origin=], |navigationParams|'s [=navigation params/response=], and
+    |navigationParams|'s [=navigable=]'s [=fenced frame config instance=]'s [=fenced frame config
+    instance/required permissions to load=].
+</div>
+
+<div algorithm=new-browsing-context-changes>
+  Modify the [=create a new browsing context and document=] algorithm. Rewrite step 7 to read:
+
+  7. Let <var ignore>permissionsPolicy</var> be the result of [=Create a Permissions Policy for a
+    navigable|creating a permissions policy=] given <var ignore>embedder</var>,
+    <var ignore>origin</var>, and null.
+
+  Note: This change is made in addition to the changes to [=create a new browsing context and
+  document=] outlined in [[#creating-browsing-contexts-patch]].
+</div>
+
+<div algorithm=attempt-populate-history-patches>
+  Modify [[HTML]]'s [=attempt to populate the history entry's document=] algorithm. Add a step
+  before the step inside the [=queue a task|queued task=] starting with "If
+  |failure| is true, then:" that reads:
+
+  8. Otherwise, if the result of [=Should navigation response to navigation request be blocked by
+    Permissions Policy?=] given |navigationParams|'s [=request=],
+    |navigationParams|'s [=response=], and <var ignore>navigable</var> is "`Blocked`", then set
+    |failure| to true.
+</div>
+
+<div algorithm=permissions-policy-block-request>
+  Create a new algorithm called <dfn>Should navigation response to navigation request be blocked by
+  Permissions Policy?</dfn> in [[!HTML]].
+
+  Given a [=response=] (|response|), a [=request=] (|request|), and a [=navigable=] (|navigable|),
+  this algorithm returns `Blocked` or `Allowed`:
+
+  1. If |navigable| is not a [=fenced navigable container/fenced navigable=], then return `Allowed`.
+
+  2. Let |required permissions to load| be the |navigable|'s [=navigable/fenced frame config
+     instance=]'s [=fenced frame config instance/required permissions to load=].
+
+  3. Let |inherited policy| be |request|'s [=request/client=]'s
+     [=environment/target browsing context=]'s [=browsing context/active document=]'s
+     [=Document/permissions policy=]'s [=inherited policy=].
+
+  4. Let |origin| be |response|'s [=response/url=]'s [=url/origin=].
+
+  5. [=list/For each=] |permission| of |required permissions to load|:
+
+    1. If |permission| does not exist in |inherited policy|, and |permission|'s
+       [=default allowlist=] is not "`*`", return "`Blocked`".
+
+    2. Otherwise, if the allowlist at |inherited policy|[|permission|] does not
+       [=permissions/matches|match=] |origin|, return "`Blocked`".
+
+  6. Return "`Allowed`."
+</div>