HTML <meta>-delivery #313
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -231,7 +231,7 @@ spec:reporting; urlPrefix: https://w3c.github.io/reporting/ | |
| <section> | ||
| <h3 id="header-policies">Header policies</h3> | ||
| <p>A <dfn>header policy</dfn> is a list of <a>policy directives</a> | ||
| delivered via an HTTP header with a document, or a . This forms the document's | ||
| <a>feature policy</a>'s <a>declared policy</a>.</p> | ||
| </section> | ||
| <section> | ||
|
|
@@ -427,6 +427,55 @@ spec:reporting; urlPrefix: https://w3c.github.io/reporting/ | |
| </div> | ||
| </section> | ||
| </section> | ||
| <section> | ||
| <h3 id="meta-element"> | ||
| The `<meta>` element | ||
| </h3> | ||
|
|
||
| A {{Document}} may deliver a policy via one or more HTML <{meta}> elements | ||
| whose <{meta/http-equiv}> attributes are an <a>ASCII case-insensitive</a> | ||
| match for the string "`Feature-Policy`". For example: | ||
|
|
||
| <div class="example"> | ||
| <pre highlight="html"> | ||
| <meta http-equiv="Feature-Policy" content="fullscreen 'none'; geolocation 'none'"> | ||
| </pre> | ||
| </div> | ||
|
|
||
| Implementation details can be found in HTML's <a>Feature Policy state</a> | ||
| `http-equiv` processing instructions [[!HTML]]. | ||
|
|
||
| Authors are <em>strongly encouraged</em> to place <{meta}> elements as early | ||
| in the document as possible, because policies in <{meta}> elements are not | ||
| applied to content which precedes them. | ||
|
|
||
| <div class="example"> | ||
|
|
||
| For example, a script tag that preceded a <meta>-delivered policy | ||
| directive of `sync-xhr ‘none’` would still be able to call | ||
| `XMLHttpRequest.open()`. | ||
|
|
||
| <pre highlight="html"> | ||
| <script> | ||
| var req = new XMLHttpRequest(); | ||
| req.open("GET", "/api/security_check.json", false); | ||
| req.send(); | ||
| </script> | ||
|
|
||
| <meta http-equiv="Feature-Policy" content="sync-xhr ‘none"> | ||
| </pre> | ||
|
|
||
| In the above, the call to req.open will succeed, because the policy | ||
| disabling sync-xhr occurs after it, in the markup. | ||
|
|
||
| </div> | ||
|
|
||
| Note: A policy specified via a <{meta}> element will be enforced along with any other policies active, regardless of where they're specified. However, once a specific Feature Policy directive has been set by way of an HTTP header or <{meta}> element, that directive cannot be further updated or changed. | ||
| <!--TODO this is first wins. do we want last wins? --> | ||
|
There was a problem hiding this comment. How multiple There was a problem hiding this comment. I don't think that's possible as they are parsed independently. If you start a quoted string in one and end inside a There was a problem hiding this comment. Good point :) A That's also necessary because it would be encountered after create a new browsing context has already initialized the document's policy (unless we specify that it interacts with the preload scanner somehow, but I think there is legitimate hesitancy to adding more dependencies on that). There was a problem hiding this comment.
I think you're probably interpreting me too literally. I just meant that each More generally, it seems bad that CSP and Feature-Policy as specifying so many details for There was a problem hiding this comment. Well, for starters there's disagreement on whether we should add more Then, the value-space is different, headers contain bytes, attribute values contain strings. Then, headers can be parsed as a single-block (and ideally combined, then parsed), elements are typically parsed case-by-case. There are some reusable bits there, but all of it requires quite a bit of care. And then, for consistency across |
||
|
|
||
| Note: Modifications to the <{meta/content}> attribute of a <{meta}> element after the element has been parsed will be ignored. | ||
|
|
||
|
There was a problem hiding this comment. What about adding a new There was a problem hiding this comment. This language doesn't say anything about what happens when new elements are inserted. As I plan to re-use as much of the specific HTML processing step language from CSP as possible, I expect that the behavior will be similar. Because FP is more about client side behavior, and less about loading/blocking resources, I don't expect that pattern to be as common here, as it is with CSP. That said, if we do expect it to be a common pattern, it may merit a mention in this high-level-guideline-y, non-normative bit of text. Thoughts? |
||
| </section> | ||
| </section> | ||
| <section> | ||
| <h2 id="introspection">Policy Introspection from Scripts</h2> | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it important to mention that the
<meta charset>should be set before<meta http-equiv>s? I asked the same thing in w3c/webappsec-csp#387.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good question, and thanks for the heads up. I'll plan to monitor the conversation there and copy any changes over.