Closed Bug 1507230 Opened Last year Closed Last year

Introduce 2 new pref for FeaturePolicy

Categories

(Core :: DOM: Security, enhancement)

enhancement
Not set

Tracking

()

RESOLVED FIXED
mozilla65
Tracking Status
firefox65 --- fixed

People

(Reporter: baku, Assigned: baku)

Details

(Keywords: dev-doc-complete, Whiteboard: [domsecurity-backlog1] [domsecurity-active])

Attachments

(2 files)

dom.security.featurePolicy.header.enabled pref controls the using of FeaturePolicy header.

dom.security.featurePolicy.webidl.enabled pref is about exposing document.policy and HTMLIFrameElement.policy attributes.
Status: NEW → ASSIGNED
Whiteboard: [domsecurity-backlog1] [domsecurity-active]
Attached patch part 1 - headerSplinter Review
Attachment #9025110 - Flags: review?(ckerschb)
Attached patch part 2 - webidlSplinter Review
Attachment #9025111 - Flags: review?(ckerschb)
Comment on attachment 9025110 [details] [diff] [review]
part 1 - header

Review of attachment 9025110 [details] [diff] [review]:
-----------------------------------------------------------------

yeah that looks solid - thanks for adding that pref!
Attachment #9025110 - Flags: review?(ckerschb) → review+
Comment on attachment 9025111 [details] [diff] [review]
part 2 - webidl

Review of attachment 9025111 [details] [diff] [review]:
-----------------------------------------------------------------

Same for this patch. Thanks for adding those baku!
Attachment #9025111 - Flags: review?(ckerschb) → review+
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/fc44465829e8
dom.security.featurePolicy.header.enabled pref controls the using of FeaturePolicy header, r=ckerschb
https://hg.mozilla.org/integration/mozilla-inbound/rev/fe8a06f7a6b5
dom.security.featurePolicy.webidl.enabled pref controls the exposing of document.policy and HTMLIFrameElement.policy attributes, r=ckerschb
https://hg.mozilla.org/mozilla-central/rev/fc44465829e8
https://hg.mozilla.org/mozilla-central/rev/fe8a06f7a6b5
Status: ASSIGNED → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
This might impact documentation.
Keywords: dev-doc-needed
Note to the MDN writer's team:

This shouldn't go in the rel notes, as it is not enabled by default. However, if feature-policy can now be turned on using prefs, then we should indicate this in the browser compat data —> supported in 65, but behind pref?

Sure, like Chrome did in our docs, we can the add preference info to our compat tables:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy#Browser_compatibility

:baku, can you let me know which directives are now supported behind the "dom.security.featurePolicy.header.enabled" pref?

And then for the API tables, I would add "dom.security.featurePolicy.webidl.enabled" here:
https://developer.mozilla.org/en-US/docs/Web/API/Document/policy#Browser_compatibility
https://developer.mozilla.org/en-US/docs/Web/API/HTMLIframeElement/policy#Browser_compatibility

Does that sound good to you?

Flags: needinfo?(amarchesini)

:baku, can you let me know which directives are now supported behind the "dom.security.featurePolicy.header.enabled" pref?

Enabling that pref, we support the parsing of Feature-Policy HTTP header as the spec says here:

https://w3c.github.io/webappsec-feature-policy/#parse-header

The parser of the HTTP header and the HTMLIFrameElement allow attribute is the same. The list of supported feature is the same (see here: https://searchfox.org/mozilla-central/rev/b29663c6c9c61b0bf29e8add490cbd6bad293a67/dom/security/featurepolicy/FeaturePolicyUtils.cpp#28-39)

The only difference between HTTP header and HTMLIFrameElement is that 'src' is only supported in the latter.

Does that sound good to you?

Yes.

Flags: needinfo?(amarchesini)

Thanks! Pages updated.

You need to log in before you can comment on or make changes to this bug.