We'd like to ship a subset of Feature Policy in order to simplify permission requests and make third-party embeddees less capable by default. Here's an enumeration of the things that need to be completed, please feel free to add blocking bugs as required: 1. `allow` attribute implementation with agreed upon processing model. See discussion at the end of https://github.com/w3c/webappsec-feature-policy/issues/230 for potentially drastically simplifying this. 1. Disable camera/microphone/geolocation by default in third-party embeddees (screensharing was not discussed, but mentioned in the bug Tom filed; needs a decision). And support for these permissions (and no others) in the `allow` attribute. 1. Integration with permissions API and WebRTC `enumerateDevices()` API for the supported features. 1. Simplification of the UX dialogs to only contain the top-level embedder origin. 1. Test coverage. In particular for all the web-exposed bits. (If you're wondering about notifications, see bug 1560741.)
Bug 1572461 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
We'd like to ship a subset of Feature Policy in order to simplify permission requests and make third-party embeddees less capable by default. Here's an enumeration of the things that need to be completed, please feel free to add blocking bugs as required: 1. `allow` attribute implementation with agreed upon processing model. See discussion at the end of https://github.com/w3c/webappsec-feature-policy/issues/230 for potentially drastically simplifying this. 1. Disable camera/microphone/geolocation by default in third-party embeddees (screensharing was not discussed, but mentioned in the bug Tom filed; similar for fullscreen; we should probably support those as well). And support for these permissions (and no others) in the `allow` attribute. 1. Integration with permissions API and WebRTC `enumerateDevices()` API for the supported features. 1. Simplification of the UX dialogs to only contain the top-level embedder origin. 1. Test coverage. In particular for all the web-exposed bits. 1. A blog post summarizing this change to give developers the opportunity to adapt their sites. (If you're wondering about notifications, see bug 1560741.)