Introduce 2 new pref for FeaturePolicy
Categories
(Core :: DOM: Security, enhancement)
Tracking
()
Tracking | Status | |
---|---|---|
firefox65 | --- | fixed |
People
(Reporter: baku, Assigned: baku)
Details
(Keywords: dev-doc-complete, Whiteboard: [domsecurity-backlog1] [domsecurity-active])
Attachments
(2 files)
8.54 KB,
patch
|
ckerschb
:
review+
|
Details | Diff | Splinter Review |
8.68 KB,
patch
|
ckerschb
:
review+
|
Details | Diff | Splinter Review |
dom.security.featurePolicy.header.enabled pref controls the using of FeaturePolicy header. dom.security.featurePolicy.webidl.enabled pref is about exposing document.policy and HTMLIFrameElement.policy attributes.
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Comment 1•6 years ago
|
||
Assignee | ||
Comment 2•6 years ago
|
||
Comment 3•6 years ago
|
||
Comment on attachment 9025110 [details] [diff] [review] part 1 - header Review of attachment 9025110 [details] [diff] [review]: ----------------------------------------------------------------- yeah that looks solid - thanks for adding that pref!
Comment 4•6 years ago
|
||
Comment on attachment 9025111 [details] [diff] [review] part 2 - webidl Review of attachment 9025111 [details] [diff] [review]: ----------------------------------------------------------------- Same for this patch. Thanks for adding those baku!
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/fc44465829e8 dom.security.featurePolicy.header.enabled pref controls the using of FeaturePolicy header, r=ckerschb https://hg.mozilla.org/integration/mozilla-inbound/rev/fe8a06f7a6b5 dom.security.featurePolicy.webidl.enabled pref controls the exposing of document.policy and HTMLIFrameElement.policy attributes, r=ckerschb
Comment 6•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/fc44465829e8 https://hg.mozilla.org/mozilla-central/rev/fe8a06f7a6b5
Comment 8•5 years ago
|
||
Note to the MDN writer's team: This shouldn't go in the rel notes, as it is not enabled by default. However, if feature-policy can now be turned on using prefs, then we should indicate this in the browser compat data —> supported in 65, but behind pref?
Comment 9•5 years ago
|
||
Sure, like Chrome did in our docs, we can the add preference info to our compat tables:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy#Browser_compatibility
:baku, can you let me know which directives are now supported behind the "dom.security.featurePolicy.header.enabled" pref?
And then for the API tables, I would add "dom.security.featurePolicy.webidl.enabled" here:
https://developer.mozilla.org/en-US/docs/Web/API/Document/policy#Browser_compatibility
https://developer.mozilla.org/en-US/docs/Web/API/HTMLIframeElement/policy#Browser_compatibility
Does that sound good to you?
Assignee | ||
Comment 10•5 years ago
|
||
:baku, can you let me know which directives are now supported behind the "dom.security.featurePolicy.header.enabled" pref?
Enabling that pref, we support the parsing of Feature-Policy HTTP header as the spec says here:
https://w3c.github.io/webappsec-feature-policy/#parse-header
The parser of the HTTP header and the HTMLIFrameElement allow attribute is the same. The list of supported feature is the same (see here: https://searchfox.org/mozilla-central/rev/b29663c6c9c61b0bf29e8add490cbd6bad293a67/dom/security/featurepolicy/FeaturePolicyUtils.cpp#28-39)
The only difference between HTTP header and HTMLIFrameElement is that 'src' is only supported in the latter.
Does that sound good to you?
Yes.
Description
•