From 31b087cd1cb6015ec9200d0f4e54aaa8da11e2b4 Mon Sep 17 00:00:00 2001 From: Eric Portis Date: Thu, 16 May 2019 06:40:57 -0700 Subject: [PATCH 1/6] First stab at -delivery --- index.bs | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 50 insertions(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 25cf1b84..17b7cf36 100644 --- a/index.bs +++ b/index.bs @@ -231,7 +231,7 @@ spec:reporting; urlPrefix: https://w3c.github.io/reporting/

Header policies

A header policy is a list of policy directives - delivered via an HTTP header with a document. This forms the document's + delivered via an HTTP header with a document, or a . This forms the document's feature policy's declared policy.

@@ -424,6 +424,55 @@ spec:reporting; urlPrefix: https://w3c.github.io/reporting/
+
+

+ The `` element +

+ + A {{Document}} may deliver a policy via one or more HTML <{meta}> elements + whose <{meta/http-equiv}> attributes are an ASCII case-insensitive + match for the string "`Feature-Policy`". For example: + +
+ 
+        <meta http-equiv="Feature-Policy" content="fullscreen 'none'; geolocation 'none'">
+
+
+ + Implementation details can be found in HTML's Feature Policy state + `http-equiv` processing instructions [[!HTML]]. + + Authors are strongly encouraged to place <{meta}> elements as early + in the document as possible, because policies in <{meta}> elements are not + applied to content which precedes them. + +
+ + For example, a script tag that preceded a <meta>-delivered policy + directive of `sync-xhr ‘none’` would still be able to call + `XMLHttpRequest.open()`. + + 
+        <script>
+          var req = new XMLHttpRequest();
+          req.open("GET", "/api/security_check.json", false);
+          req.send();
+        </script>
+
+        <meta http-equiv="Feature-Policy" content="sync-xhr ‘none">
+
+ + In the above, the call to req.open will succeed, because the policy + disabling sync-xhr occurs after it, in the markup. + +
+ + Note: A policy specified via a <{meta}> element will be enforced along with any other policies active, regardless of where they're specified. However, once a specific Feature Policy directive has been set by way of an HTTP header or <{meta}> element, that directive cannot be further updated or changed. + + + Note: Modifications to the <{meta/content}> attribute of a <{meta}> element after the element has been parsed will be ignored. + +

Policy Introspection from Scripts

From f79b1a804b929aefdb6d11263dd5d0ab3b7ab027 Mon Sep 17 00:00:00 2001 From: Eric Portis Date: Thu, 30 May 2019 06:03:46 -0700 Subject: [PATCH 2/6] =?UTF-8?q?Add=20"Merge=20a=20new=20declared=20policy?= =?UTF-8?q?=20into=20document=E2=80=99s=20existing=20Feature=20Policy"=20a?= =?UTF-8?q?lgorithm?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- index.bs | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/index.bs b/index.bs index 6fb8700f..2e21ff43 100644 --- a/index.bs +++ b/index.bs @@ -1138,6 +1138,40 @@ partial interface HTMLIFrameElement {
  • Otherwise, return false.
    • +
    +

    Merge a new declared policy into document's existing Feature Policy

    + +

    Given a [=declared policy=] (new declared policy) and a Document + (document), this algorithm updates document's already-initialized Feature Policy.

    +
      +
    1. If document does not have a Feature Policy, abort these steps.
      2. +
    2. Let inherited policy be document's Feature + Policy's inherited policy.
      3. +
    3. Let existing declared policy be document's Feature + Policy's declared policy
      4. +
    4. Let resulting declared policy be a new ordered map.
      5. +
    5. For each featureallowlist of existing declared policy: +
        +
      1. Set resulting declared policy[feature] to + allowlist.
        2. +
      +
      6. +
    6. For each featureallowlist of new declared policy: +
        +
      1. If inherited policy[feature] is true, then + set resulting declared policy[feature] to + allowlist.
        2. +
      +
      7. +
    7. Let policy be a new feature policy, with inherited + policy inherited policy and declared policy resulting declared + policy. +
      8. +
    8. Set document’s feature policy to policy. +
      9. +
    +
    From 24495e410d88adf9884e532fe8cdfb2710197314 Mon Sep 17 00:00:00 2001 From: Eric Portis Date: Fri, 31 May 2019 12:26:21 -0700 Subject: [PATCH 3/6] Tweaks --- index.bs | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/index.bs b/index.bs index 2e21ff43..96644173 100644 --- a/index.bs +++ b/index.bs @@ -451,7 +451,7 @@ spec:reporting; urlPrefix: https://w3c.github.io/reporting/
    - For example, a script tag that preceded a <meta>-delivered policy + For example, a script tag that preceded a <{meta}>-delivered policy directive of `sync-xhr ‘none’` would still be able to call `XMLHttpRequest.open()`. @@ -465,8 +465,8 @@ spec:reporting; urlPrefix: https://w3c.github.io/reporting/ <meta http-equiv="Feature-Policy" content="sync-xhr ‘none"> - In the above, the call to req.open will succeed, because the policy - disabling sync-xhr occurs after it, in the markup. + In the above, the call to `req.open` will succeed, because the policy + disabling `sync-xhr` occurs after it, in the markup.
    From aba86ca4d587716541f7d66a1470099c20c03872 Mon Sep 17 00:00:00 2001 From: Eric Portis Date: Fri, 31 May 2019 12:26:29 -0700 Subject: [PATCH 4/6] =?UTF-8?q?Revert=20"Add=20"Merge=20a=20new=20declared?= =?UTF-8?q?=20policy=20into=20document=E2=80=99s=20existing=20Feature=20Po?= =?UTF-8?q?licy"=20algorithm"?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit f79b1a804b929aefdb6d11263dd5d0ab3b7ab027. --- index.bs | 34 ---------------------------------- 1 file changed, 34 deletions(-) diff --git a/index.bs b/index.bs index 96644173..07f5888e 100644 --- a/index.bs +++ b/index.bs @@ -1138,40 +1138,6 @@ partial interface HTMLIFrameElement {
  • Otherwise, return false.
    • -
    -

    Merge a new declared policy into document's existing Feature Policy

    - -

    Given a [=declared policy=] (new declared policy) and a Document - (document), this algorithm updates document's already-initialized Feature Policy.

    -
      -
    1. If document does not have a Feature Policy, abort these steps.
      2. -
    2. Let inherited policy be document's Feature - Policy's inherited policy.
      3. -
    3. Let existing declared policy be document's Feature - Policy's declared policy
      4. -
    4. Let resulting declared policy be a new ordered map.
      5. -
    5. For each featureallowlist of existing declared policy: -
        -
      1. Set resulting declared policy[feature] to - allowlist.
        2. -
      -
      6. -
    6. For each featureallowlist of new declared policy: -
        -
      1. If inherited policy[feature] is true, then - set resulting declared policy[feature] to - allowlist.
        2. -
      -
      7. -
    7. Let policy be a new feature policy, with inherited - policy inherited policy and declared policy resulting declared - policy. -
      8. -
    8. Set document’s feature policy to policy. -
      9. -
    -
    From 4dcdb5bbddb63388c1f6f09224f4ad3b3bb8baa7 Mon Sep 17 00:00:00 2001 From: Eric Portis Date: Fri, 31 May 2019 13:23:36 -0700 Subject: [PATCH 5/6] Add "Merge two declared policies" algorithm. --- index.bs | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/index.bs b/index.bs index 07f5888e..45fbc12a 100644 --- a/index.bs +++ b/index.bs @@ -1138,6 +1138,26 @@ partial interface HTMLIFrameElement {
  • Otherwise, return false.
    • +
    +

    Merge two declared policies

    +

    Given two declared policies, existing policy and new policy, this algorithm returns a single, merged declared policy.

    +
      +
    1. Let merged policy be a copy of existing policy.
      2. +
    2. For each featureallowlist of new policy: +
      1. If merged policy does not contain an allowlist for feature, then set merged policy[feature] to allowlist. +
      +
      3. +
    3. Return merged policy.
      4. +
    +
    +

    This isn't all that different from Merge directive with declared policy, except that: +

    +

    So I guess, given that, does this really need to exist as a separate algorithm?

    +
    +
    From e3cc937953526284cf287acd6aa7ee55f4bc8b9e Mon Sep 17 00:00:00 2001 From: Eric Portis Date: Fri, 31 May 2019 13:51:58 -0700 Subject: [PATCH 6/6] Oops --- index.bs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/index.bs b/index.bs index 45fbc12a..029cf2ce 100644 --- a/index.bs +++ b/index.bs @@ -231,7 +231,7 @@ spec:reporting; urlPrefix: https://w3c.github.io/reporting/

    Header policies

    A header policy is a list of policy directives - delivered via an HTTP header with a document, or a . This forms the document's + delivered via an HTTP header with a document. This forms the document's feature policy's declared policy.