diff --git a/index.bs b/index.bs index 68082f5..e2838f9 100644 --- a/index.bs +++ b/index.bs @@ -823,6 +823,7 @@ partial interface HTMLIFrameElement { readonly attribute long? lineNumber; readonly attribute long? columnNumber; readonly attribute DOMString disposition; + readonly attribute DOMString? allowAttribute; }; @@ -856,6 +857,11 @@ partial interface HTMLIFrameElement { resulted only in this report being generated (with no further action taken by the user agent in response to the violation). + - allowAttribute: For + reports of potential violations, which can be attributed to a specific + <{iframe}> element, the value of the <{iframe/allow}> attribute of that + element, or omitted otherwise. +

\``Permissions-Policy-Report-Only`\` HTTP Header Field

The \` Given a [=policy-controlled feature|feature=] (|feature|), null or a navigable container - (|container|), and an origin for a {{Document}} in - that container (|origin|), this algorithm returns the [=inherited policy for - a feature|inherited policy value=] for |feature|. + (|container|), an origin for a {{Document}} in + that container (|origin|), and an optional boolean (|report-only|), with + a default value of False, this algorithm returns the [=inherited policy + for a feature|inherited policy value=] for |feature|. 1. If |container| is null, return "Enabled". 1. If the result of executing Get feature value for - origin on |feature|, |container|'s node document, and - |container|'s node document's origin is + origin on |feature|, |container|'s node document, + |container|'s node document's origin, and |report-only| is "Disabled", return "Disabled". 1. If the result of executing Get feature value for - origin on |feature|, |container|'s node document, and - |origin| is "Disabled", return "Disabled". + origin on |feature|, |container|'s node document, |origin|, + and |report-only| is "Disabled", return + "Disabled". 1. Let |container policy| be the result of running Process permissions policy attributes on |container|. 1. If |feature| [=map/exists=] in |container policy|: @@ -1075,10 +1083,12 @@ partial interface HTMLIFrameElement {

Given a [=policy-controlled feature|feature=] (|feature|), a {{Document}} object - (|document|), and an [=origin=] (|origin|), this algorithm - returns "Disabled" if |feature| should be considered - disabled, and "Enabled" otherwise. - 1. Let |policy| be |document|'s [=Document/permissions policy=]. + (|document|), an [=origin=] (|origin|), and a boolean (|report-only|), + this algorithm returns "Disabled" if |feature| should be + considered disabled, and "Enabled" otherwise. + 1. Let |policy| be |document|'s [=Document/report-only permissions + policy=] if |report-only| is True, or |document|'s + [=Document/permissions policy=] otherwise. 1. If |policy|'s inherited policy for |feature| is "Disabled", return "Disabled". 1. If |feature| is present in |policy|'s declared @@ -1180,6 +1190,41 @@ partial interface HTMLIFrameElement {
+
+ ## Check potential violation of permissions policy in container ## {#algo-check-potential-violation-in-container} + +
+ Given a navigable container (|container|), this algorithm sends potential + violation reports. + 1. Let |document| be |container|'s node document. + 2. Let |settings| be |document|'s environment settings + object. + 3. [=set/For each=] supported feature |feature|: + 1. If the result of running Define an inherited + policy for feature in container at origin on |feature|, + |container| and |container|'s declared origin is + "Disabled": + 1. Let |endpoint| be the result of calling Get + the reporting endpoint for a feature given |feature| and + |document|'s [=Document/permissions policy=]. + 2. Call Generate report for potential violation + of permissions policy on settings given |feature|, + |settings|, "Enforce", and |endpoint|. + 2. Else, if the result of running Define an inherited + policy for feature in container at origin on |feature|, + |container|, |container|'s declared origin and True is + "Disabled": + 1. Let |report-only endpoint| be the result of calling Get the reporting endpoint for a feature + given |feature| and |document|'s [=Document/report-only + permissions policy=]. + 2. Call Generate report for potential violation + of permissions policy on settings given |feature|, + |settings|, "Report", and |report-only + endpoint|. + +
+
## Generate report for violation of permissions policy on settings ## {#algo-report-permissions-policy-violation} @@ -1214,6 +1259,42 @@ partial interface HTMLIFrameElement {
+
+ ## Generate report for potential violation of permissions policy on settings ## {#algo-report-potential-permissions-policy-violation} + +
+ Given a [=policy-controlled feature|feature=] (|feature|), an environment settings object + (|settings|), a string (|disposition|), a string-or-null (|endpoint|), and a string-or-null + (|allowAttribute|), this algorithm generates a report about the violation of the + policy for |feature|. + + 1. Let |body| be a new {{PermissionsPolicyViolationReportBody}}, initialized + as follows: + + : [=PermissionsPolicyViolationReportBody/featureId=] + :: |feature|'s string representation. + : [=PermissionsPolicyViolationReportBody/sourceFile=] + :: null + : [=PermissionsPolicyViolationReportBody/lineNumber=] + :: null + : [=PermissionsPolicyViolationReportBody/columnNumber=] + :: null + : [=PermissionsPolicyViolationReportBody/disposition=] + :: |disposition| + : [=PermissionsPolicyViolationReportBody/allowAttribute=] + :: |allowAttribute| + + 1. If the user agent is currently executing script, and can extract the + source file's URL, line number, and column number from |settings|, then + set |body|'s [=PermissionsPolicyViolationReportBody/sourceFile=], + [=PermissionsPolicyViolationReportBody/lineNumber=], and + [=PermissionsPolicyViolationReportBody/columnNumber=] accordingly. + + 1. Execute [=generate and queue a report=] with |body|, + "potential-permissions-policy-violation", |endpoint|, and |settings|. + +
+
## Should request be allowed to use feature? ## {#algo-should-request-be-allowed-to-use-feature} @@ -1261,7 +1342,13 @@ partial interface HTMLIFrameElement { navigationParams's origin, navigationParams's response, and True. And in the same section, in step 10, set the new {{Document}}'s - [=Document/report-only permissions policy=] to |reportOnlyPermissionsPolicy|. + [=Document/report-only permissions policy=] to |reportOnlyPermissionsPolicy|. + + And in the same section, in step 19 before the return, insert the following step: + + 19. If navigationParams's navigable's container is not null, call Check potential violation of permissions policy in + container given navigationParams's navigable's container.