[wpt-sync] Sync PR 26459 - Change Feature-Policy header semantics
Categories
(Core :: DOM: Security, task, P4)
Tracking
()
Tracking | Status | |
---|---|---|
firefox84 | --- | fixed |
People
(Reporter: wpt-sync, Unassigned)
References
()
Details
(Whiteboard: [wptsync downstream][domsecurity-backlog])
Attachments
(1 file)
195.57 KB,
text/plain
|
Details |
Sync web-platform-tests PR 26459 into mozilla-central (this bug is closed when the sync is complete).
PR: https://github.com/web-platform-tests/wpt/pull/26459
Details from upstream follow.
b'Ian Clelland <iclelland@chromium.org>' wrote:
Change Feature-Policy header semantics
This change implements the algorithmic changes for a recent change
to the Feature/Permissions policy spec:
https://github.com/w3c/webappsec-permissions-policy/pull/378With this change, the Feature-Policy or Permissions-Policy headers by
themselves cannot be used to delegate powerful features to cross-origin
iframes; the allow attribute must be used as well. To allow this to
still be ergonomic, the default value for the header for powerful
features is effectively '*', so that delegation is allowed by the header
implicitly. The header can now be used effectively to completely block
access to a feature, as any origins not present in the header allowlist
cannot be granted the feature through the allow attribute.This also removes some code which previously only existed to track the
cases where this change would affect the output of an IsFeatureEnabled
call.Several tests will have been modified or rewritten prior to landing
this change; this CL depends on the following (though they are all
independent, so they are not chained together):
- https://crrev.com/c/2424633
- https://crrev.com/c/2424634
- https://crrev.com/c/2424635
- https://crrev.com/c/2424654
- https://crrev.com/c/2424655
- https://crrev.com/c/2424657
- https://crrev.com/c/2425003
- https://crrev.com/c/2425004
(See Patchset 8 for a version with the changes from all of those CLs
included.)This CL, while large, can best be understood as the union of the
following changes:
Algorithm changes, including the removal of previous "what-if" code
and metrics:
feature_policy.cc
feature_policy.h
execution_context.ccUnit tests to cover those changes:
feature_policy_unittest.cc
render_frame_host_feature_policy_unittest.ccUpdate WPT test expectations to account for the change in behaviour
when only the header is used:
3p/b/web_tests/external/wpt/feature-policy/feature-policy-*
3p/b/web_tests/external/wpt/permissions-policy/permissions-policy-*Update Blink web tests for fullscreen and payment request to validate
that both are now working correctly with the new header semantics:
3p/b/web_tests/http/tests/feature-policy/fullscreen*
3p/b/web_tests/http/tests/feature-policy/payment*Update Blink web tests for the iframe policy JS interface because of
new test expectations when features are allowed/disallowed by header:
3p/b/renderer/core/feature_policy/policy_test.cc
3p/b/web_tests/http/tests/feature-policy/policy_iframes.phpBug: 1095641
Change-Id: Iecbb0950c27a4565998ee5192590d6691a03b4a3Reviewed-on: https://chromium-review.googlesource.com/2363169
WPT-Export-Revision: 581e27deb7e720badbd27b59c3f9c857a5fb138c
Assignee | ||
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
Assignee | ||
Comment 2•4 years ago
|
||
Comment 4•4 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/1f0a86c8fabc
https://hg.mozilla.org/mozilla-central/rev/f8dcf43d3d82
Description
•