add none as an allowed default #515
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
aarongable
pushed a commit
to chromium/chromium
that referenced
this pull request
Jul 10, 2023
This is described in w3c/webappsec-permissions-policy#515 . It is not added as an available default in the json config as we don't want anyone using it yet. Bug: 1432116 Change-Id: I41f33eb1b4fa212a0420d41e6b950a5a4fe6ade5 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4565116 Reviewed-by: Ian Clelland <[email protected]> Commit-Queue: Fergal Daly <[email protected]> Cr-Commit-Position: refs/heads/main@{#1168046}
clelland
reviewed
Jun 28, 2024
| @@ -393,6 +393,17 @@ spec: RFC8941; urlPrefix: https://datatracker.ietf.org/doc/html/rfc8941# | |||
| by default in [=child navigables=] whose [=navigable/active | |||
| document|document=] is cross-origin with its [=navigable/parent=]'s | |||
| [=navigable/active document|document=].</dd> | |||
| <dt><dfn for="default allowlist" export><code>none</code></dfn></dt> | |||
| <dd>The feature is not allowed in {{Document}}s in [=/top-level | |||
| traversables=] by default, as well as those in all [=child | |||
There was a problem hiding this comment.
The "as well as" here feels like it should refer to a previous positive statement -- maybe this sentence should be
By default, the feature is not allowed in Documents in top-level traversables, nor is it allowed in child navigables.
| 1. If |feature|'s <a>default allowlist</a> is <code>'self'</code>, and | ||
| |origin| is [=same origin=] with |document origin|, return | ||
| "<code>Enabled</code>". | ||
| 1. If |document| is a headerless document, return "<code>Enabled</code>". |
There was a problem hiding this comment.
What about defining (somewhere else in the doc):
A document is a <dfn>headerless document<dfn> if any of the following conditions are true:
* Its [=Document/URL=] [=matches about:blank=]
* Its [=Document/URL=] [=matches about:srcdoc=]
* Its [=Document/URL=]'s [=scheme=] is 'data'
And we can add additional cases as we find them. This might also be a good candidate for export to HTML if it turns out to be generally useful.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add
noneas a new possible default allowlist.Surprisingly, I don't think this requires any updates to the algorithms as the updates would be to "Define an inherited policy for feature in container at origin" and "Is feature enabled in document for origin?" would both just be adding "If feature’s default allowlist is None, return "Disabled"." where we are going to return "Disabled" anyway.
Maybe we should add these conditions anyway, to make it explicit. Up to you.
Fixes #513
@clelland
Preview | Diff