Open Bug 1499422 Opened 4 years ago Updated 3 years ago

fullscreen and payment features should have 'self' as default value

Categories

(Core :: DOM: Security, enhancement)

enhancement
Not set
normal

Tracking

()

ASSIGNED

People

(Reporter: baku, Assigned: baku)

Details

(Whiteboard: [domsecurity-backlog1] [domsecurity-active])

Attachments

(1 file)

We currently use 'all' as default value for FeaturePolicy, but this is against allowfullscreen and allowpayment attributes. This bug is about fixing it.
Status: NEW → ASSIGNED
Whiteboard: [domsecurity-backlog1] [domsecurity-active]
Attached patch self.patchSplinter Review
I also removed a TODO comment, because we are not going to implement allowusermediarequest. See bug 1498142.
Attachment #9017583 - Flags: review?(bugs)
Comment on attachment 9017583 [details] [diff] [review]
self.patch

So this doesn't change geolocation, but the bug is about geolocation.

Also, why this doesn't cause any test changes? I would have expected that without this patch fullscreen was (incorrectly) enabled in cross-origin iframes, since that is what * is about, no?
Attachment #9017583 - Flags: review?(bugs) → review-
Summary: fullscreen and geolocation features should have 'self' as default value → fullscreen and payment features should have 'self' as default value
> So this doesn't change geolocation, but the bug is about geolocation.

Right. My fault. I meant 'payment'. geolocation is currently allowed everywhere via permission, after prompting.

> Also, why this doesn't cause any test changes? I would have expected that
> without this patch fullscreen was (incorrectly) enabled in cross-origin
> iframes, since that is what * is about, no?

For 2 reasons:

1. all the tests use allowpaymentrequest and allowfullscreen. This grants the use of these 2 permission everywhere.
2. the default allowlist is not covered by WPT because each browser can have different policies.
Flags: needinfo?(bugs)
Flags: needinfo?(bugs)
Attachment #9017583 - Flags: review- → review+
This depends on the result of the discussion here: https://github.com/WICG/feature-policy/issues/233
Landing suspended.

There's a r+ patch which didn't land and no activity in this bug for 2 weeks.
:baku, could you have a look please?

Flags: needinfo?(amarchesini)

All the feature-policy patches/bugs are in a frozen state, until we decide what to do with this feature. It's still unclear if we want to ship feature-policy. No reason to fix this bug, at the moment.

Flags: needinfo?(amarchesini)
You need to log in before you can comment on or make changes to this bug.