A transient placeholder
about:blank document never initializes its FeaturePolicy. This can be used to bypass feature restrictions with the same attack scenarios and impact as bug 1771685.
The bug occurs because a transient
about:blank doesn't call
Document::StartDocumentLoad() where the policy would usually be set up. The FP also isn't among the security properties that are explicitly initialized in
Proof of concept
This iframe contains two blank sub frames, one of which is stopped immediately with
window.stop(), so it never starts loading to replace the initial transient
about:blank. Thus, the document holds an unrestricted FeaturePolicy and can hijack the top-level context's fullscreen permission, whereas the other frame has loaded regularly and is denied fullscreen as expected.
srcdoc only to keep the PoC self-contained - the cross-origin examples from bug 1771685 apply here as well.)
<iframe allow="fullscreen 'none'" srcdoc="
<button onclick='regular.document.firstChild.requestFullscreen()'>fullscreen regular</button>
<button onclick='transient.document.firstChild.requestFullscreen()'>fullscreen transient</button>
Also, sorry for reporting this right after the patch for bug 1771685 has already landed. When I filed that one I hadn't been aware there's another FeaturePolicy initialization bug.