1507230 - Introduce 2 new pref for FeaturePolicy

Status: RESOLVED FIXED

(Core :: DOM: Security, enhancement)

Description

[Andrea Marchesini [:baku]]

dom.security.featurePolicy.header.enabled pref controls the using of FeaturePolicy header.

dom.security.featurePolicy.webidl.enabled pref is about exposing document.policy and HTMLIFrameElement.policy attributes.

Comment 1

[Andrea Marchesini [:baku]]

Attachment: part 1 - header

Comment 2

[Andrea Marchesini [:baku]]

Attachment: part 2 - webidl

Comment 3

[Christoph Kerschbaumer [:ckerschb]]

Comment on attachment 9025110 [details] [diff] [review]
part 1 - header

Review of attachment 9025110 [details] [diff] [review]:
-----------------------------------------------------------------

yeah that looks solid - thanks for adding that pref!

Comment 4

[Christoph Kerschbaumer [:ckerschb]]

Comment on attachment 9025111 [details] [diff] [review]
part 2 - webidl

Review of attachment 9025111 [details] [diff] [review]:
-----------------------------------------------------------------

Same for this patch. Thanks for adding those baku!

Comment 5

[Pulsebot]

Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/fc44465829e8
dom.security.featurePolicy.header.enabled pref controls the using of FeaturePolicy header, r=ckerschb
https://hg.mozilla.org/integration/mozilla-inbound/rev/fe8a06f7a6b5
dom.security.featurePolicy.webidl.enabled pref controls the exposing of document.policy and HTMLIFrameElement.policy attributes, r=ckerschb

Comment 6

[Arthur Iakab [arthur_iakab]]

https://hg.mozilla.org/mozilla-central/rev/fc44465829e8
https://hg.mozilla.org/mozilla-central/rev/fe8a06f7a6b5

Comment 7

[Chris Mills [:cmills]]

This might impact documentation.

Comment 8

[Chris Mills [:cmills]]

Note to the MDN writer's team:

This shouldn't go in the rel notes, as it is not enabled by default. However, if feature-policy can now be turned on using prefs, then we should indicate this in the browser compat data —> supported in 65, but behind pref?

Comment 9

[Florian Scholz (Open Web Docs)]

Sure, like Chrome did in our docs, we can the add preference info to our compat tables:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy#Browser_compatibility

:baku, can you let me know which directives are now supported behind the "dom.security.featurePolicy.header.enabled" pref?

And then for the API tables, I would add "dom.security.featurePolicy.webidl.enabled" here:
https://developer.mozilla.org/en-US/docs/Web/API/Document/policy#Browser_compatibility
https://developer.mozilla.org/en-US/docs/Web/API/HTMLIframeElement/policy#Browser_compatibility

Does that sound good to you?

Comment 10

[Andrea Marchesini [:baku]]

:baku, can you let me know which directives are now supported behind the "dom.security.featurePolicy.header.enabled" pref?

Enabling that pref, we support the parsing of Feature-Policy HTTP header as the spec says here:

https://w3c.github.io/webappsec-feature-policy/#parse-header

The parser of the HTTP header and the HTMLIFrameElement allow attribute is the same. The list of supported feature is the same (see here: https://searchfox.org/mozilla-central/rev/b29663c6c9c61b0bf29e8add490cbd6bad293a67/dom/security/featurepolicy/FeaturePolicyUtils.cpp#28-39)

The only difference between HTTP header and HTMLIFrameElement is that 'src' is only supported in the latter.

Does that sound good to you?

Yes.

Comment 11

[Florian Scholz (Open Web Docs)]

Thanks! Pages updated.