Closed Bug 1507230 Opened Last year Closed Last year

Introduce 2 new pref for FeaturePolicy


(Core :: DOM: Security, enhancement)

Not set



Tracking Status
firefox65 --- fixed


(Reporter: baku, Assigned: baku)


(Keywords: dev-doc-complete, Whiteboard: [domsecurity-backlog1] [domsecurity-active])


(2 files) pref controls the using of FeaturePolicy header. pref is about exposing document.policy and HTMLIFrameElement.policy attributes.
Whiteboard: [domsecurity-backlog1] [domsecurity-active]
Attached patch part 1 - headerSplinter Review
Attachment #9025110 - Flags: review?(ckerschb)
Attached patch part 2 - webidlSplinter Review
Attachment #9025111 - Flags: review?(ckerschb)
Comment on attachment 9025110 [details] [diff] [review]
part 1 - header

Review of attachment 9025110 [details] [diff] [review]:

yeah that looks solid - thanks for adding that pref!
Attachment #9025110 - Flags: review?(ckerschb) → review+
Comment on attachment 9025111 [details] [diff] [review]
part 2 - webidl

Review of attachment 9025111 [details] [diff] [review]:

Same for this patch. Thanks for adding those baku!
Attachment #9025111 - Flags: review?(ckerschb) → review+
Pushed by pref controls the using of FeaturePolicy header, r=ckerschb pref controls the exposing of document.policy and HTMLIFrameElement.policy attributes, r=ckerschb
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
This might impact documentation.
Keywords: dev-doc-needed
Note to the MDN writer's team:

This shouldn't go in the rel notes, as it is not enabled by default. However, if feature-policy can now be turned on using prefs, then we should indicate this in the browser compat data —> supported in 65, but behind pref?

Sure, like Chrome did in our docs, we can the add preference info to our compat tables:

:baku, can you let me know which directives are now supported behind the "" pref?

And then for the API tables, I would add "" here:

Does that sound good to you?

Flags: needinfo?(amarchesini)

:baku, can you let me know which directives are now supported behind the "" pref?

Enabling that pref, we support the parsing of Feature-Policy HTTP header as the spec says here:

The parser of the HTTP header and the HTMLIFrameElement allow attribute is the same. The list of supported feature is the same (see here:

The only difference between HTTP header and HTMLIFrameElement is that 'src' is only supported in the latter.

Does that sound good to you?


Flags: needinfo?(amarchesini)

Thanks! Pages updated.

You need to log in before you can comment on or make changes to this bug.