Open Bug 1442689 Opened 7 years ago Updated 7 months ago

Restrict usage of synchronous XMLHttpRequest by feature policy

Categories

(Core :: DOM: Networking, enhancement, P3)

Product:
Core
Component:
DOM: Networking
Type:
enhancement

Tracking

()

Status:
ASSIGNED

People

(Reporter: iclelland, Assigned: twisniewski)

References

(Blocks 2 open bugs)

Details

(Keywords: dev-doc-needed, site-compat, Whiteboard: [necko-triaged])

Attachments

(1 file, 1 obsolete file)

Bug 1442689 - Add feature policy support for sync-xhr (behind the off-by-default feature policy pref); r?dlrobertson
48 bytes, text/x-phabricator-request
Details | Review
XMLHttpRequest objects can have their behavior controlled by feature policy (https://github.com/whatwg/xhr/pull/177, not merged yet) If the policy in the active document disallows the 'sync-xhr' feature, then calling .send() on the XMLHttpRequest object should throw a NetworkError (and ideally log a message to the developer console) Demo: https://xhr.featurepolicy.rocks/ GitHub issue: https://github.com/whatwg/xhr/issues/178 Web Platform Tests: https://wpt.fyi/xhr/xmlhttprequest-sync-default-feature-policy.sub.html
Status: UNCONFIRMED → NEW
Depends on: 1390801
Ever confirmed: true
Priority: -- → P3
See Also: 1390801
Component: DOM → DOM: Core & HTML
Attached patch patch (do not land).diff (obsolete) — Splinter Review

It seems we're not likely to move on this anytime soon, but I figured I might as well attach my patch here just in case.

This feature won't be supported in the allow attribute. It will instead be part of something called "Document Policies", see https://github.com/w3c/webappsec-feature-policy/blob/master/document-policy-explainer.md. This is still under design so not really ready for implementation.

Keywords: site-compat
Severity: normal → S3

Comment on attachment 9050633 [details] [diff] [review]
patch (do not land).diff

Given that feature policy hasn't budged in four years, is still preffed off in Firefox by default, and the other browsers have been passing the WPTs.. I don't see any reason why we shouldn't just implement this in case we turn on the pref at some point. I'll post a fresh patch shortly.

Attachment #9050633 - Attachment is obsolete: true
Assignee: nobody → twisniewski
Status: NEW → ASSIGNED
Blocks: 1528800
Component: DOM: Core & HTML → DOM: Networking
Severity: S3 → N/A
Whiteboard: [necko-triaged]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: