Add Feature Policy for workers

[odejesush]

This change adds steps for initializing workers with a Feature Policy
inherited from the owner documents.

[yoavweiss]

@odejesush Could you join the WICG to appease the IPR bots? Thanks!

[odejesush]

Thank you. I thought that the issue was that my GitHub account was not linked to my W3C account.

[yoavweiss]

@odejesush potentially both, but joining is the first step

[odejesush]

All right, I think that my account should be good to go. I'm part of the WICG and my GitHub account is linked. Thanks @yoavweiss

[annevk]

I don't think we should be inheriting policies. They should declare their own. See also w3c/webappsec-csp#336.

cc @wanderview

[wanderview]

Thanks @annevk. I think what I wrote in w3c/webappsec-csp#336 (comment) would apply here as well. Just my opinion, of course, though.

I would really like us to define some over-arching design guidelines for how inheritance should work in the web platform. For example, origin/policies are inherited via local URLs like blob:, etc. Clients (iframes/workers/etc) with a unique URL get their own origin/policies irrespective from their parent. Having every API do their own thing makes for a very confusing API and brittle implementation.

I think at TPAC it was suggested we could request some guidance from the w3c TAG on this architectural issue.

[clelland]

I would certainly be more comfortable with shared workers, especially, having to declare their own policies, rather than being inheriting from the page which happens to create them first.

I used to believe that dedicated workers needed to be considered subresources, but the TPAC discussions managed to convince me that it's better to be consistent and treat all workers as separate resources.

(The jury's still out on worklets, though :) )

[odejesush]

Thank you for the heads up on the discussion around this @annevk and @wanderview. I subscribed to the linked issue to follow it further.