Skip to content

Feature policy pragma #4670

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Feature policy pragma #4670

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
b0e8dd1
Editorial: sentence-case “Escapable raw text elements”
eeeps Aug 9, 2018
7bbccf5
Merge branch 'master' of https://github.com/whatwg/html into feature-…
eeeps Apr 24, 2019
cf3e7f0
Merge branch 'master' of https://github.com/whatwg/html into feature-…
eeeps May 1, 2019
f68dc0c
First stab at <meta http-equiv="Feature-Policy">
eeeps May 30, 2019
8df8958
Many fixups
eeeps May 30, 2019
3e5078d
New merging-feature-policies algorithm
eeeps May 31, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 59 additions & 0 deletions source
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4073,6 +4073,11 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
<li>The <dfn data-x-href="https://wicg.github.io/feature-policy/#initialize-from-response">Initialize a document's feature policy from a response</dfn> algorithm</li>
<li>The <dfn data-x="is-feature-enabled" data-x-href="https://wicg.github.io/feature-policy/#is-feature-enabled">Is feature enabled by policy for origin</dfn> algorithm</li>
<li>The <dfn data-x="process-feature-policy-attributes" data-x-href="https://wicg.github.io/feature-policy/#process-feature-policy-attributes">Process feature policy attributes</dfn> algorithm</li>
<li>The <dfn data-x="parse-header-from-value-and-origin" data-x-href="https://w3c.github.io/webappsec-feature-policy/#algo-parse-header">Parse header from value and origin</dfn> algorithm</li>
<li>The <dfn data-x="feature-policy-syntax" data-x-href="https://w3c.github.io/webappsec-feature-policy/#serialized-feature-policy">Feature Policy syntax</dfn></li>
<li><dfn data-x="declared-feature-policy" data-x-href="https://w3c.github.io/webappsec-feature-policy/#declared-policy">declared policy</dfn></li>
<li><dfn data-x="inherited-feature-policy" data-x-href="https://w3c.github.io/webappsec-feature-policy/#inherited-policy">inherited policy</dfn></li>
<li>The <dfn data-x="merge-two-declared-policies" data-x-href="https://github.com/eeeps/feature-policy/blob/4dcdb5bbddb63388c1f6f09224f4ad3b3bb8baa7/index.bs#L1142">Merge two declared policies</dfn> algorithm</li><!-- TODO update this link, if and when https://github.com/w3c/webappsec-feature-policy/pull/313 is merged -->
</ul>
</dd>

Expand Down Expand Up @@ -14388,6 +14393,10 @@ interface <dfn>HTMLMetaElement</dfn> : <span>HTMLElement</span> {
<td><span data-x="attr-meta-http-equiv-content-security-policy">Content security policy</span>
<td><dfn><code data-x="attr-meta-http-equiv-keyword-content-security-policy">content-security-policy</code></dfn>
<td>
<tr>
<td><span data-x="attr-meta-http-equiv-feature-policy">Feature policy</span>
<td><dfn><code data-x="attr-meta-http-equiv-keyword-feature-policy">feature-policy</code></dfn>
<td>
</table>

<!--
Expand Down Expand Up @@ -14858,6 +14867,56 @@ people expect to have work and what is necessary.
</div>
</dd>

<dt><dfn data-x="attr-meta-http-equiv-feature-policy">Feature Policy state</dfn> (<code data-x="">http-equiv="<code data-x="attr-meta-http-equiv-keyword-feature-policy">feature-policy</code>"</code>)

<dd>

<p>This pragma sets a <code>Document</code>’s <span data-x="concept-document-feature-policy">feature policy</span>. <ref spec="FEATUREPOLICY"></p>

<div w-nodev>

<ol>
<li><p>If the <code>meta</code> element is not a child of a <code>head</code> element,
return.</p></li>

<li><p>If the <code>meta</code> element has no <code data-x="attr-meta-content">content</code>
attribute, or if that attribute's value is the empty string, then return.</p></li>

<li><p>Let <var>inherited policy</var> be <code>Document</code>'s <span data-x="concept-document-feature-policy">feature policy</span>'s <span data-x="inherited-feature-policy">inherited policy</span>.</p></li>

<li><p>Let <var>declared policy</var> be <code>Document</code>'s <span data-x="concept-document-feature-policy">feature policy</span>'s <span data-x="declared-feature-policy">declared policy</span>.</p></li>

<li><p>Let <var>meta policy</var> be the result of executing Feature Policy's <span data-x="parse-header-from-value-and-origin">Parse header from value and origin</span> algorithm, with <var>value</var> set to the <code>meta</code> element's
<code data-x="attr-meta-content">content</code> attribute's value, and <var>origin</var> set to <code>Document</code>'s origin.</p></li>

<li><p>Let <var>merged policy</var> be the result of executing Feature Policy's <span data-x="merge-two-declared-policies">Merge two declared policies</span> algorithm, with <var>existing policy</var> set to <var>declared policy</var> and <var>new policy</var> set to <var>meta policy</var>.</p></li>

<li><p>Let <var>resulting feature policy</var> be a new <span data-x="concept-feature-policy">feature policy</span>, with <span data-x="inherited-feature-policy">inherited policy</span> <var>inherited policy</var> and <span data-x="declared-feature-policy">declared policy</span> <var>merged policy</var>.</p></li>

<li><p>Set <code>Document</code>'s <span data-x="concept-document-feature-policy">feature policy</span> to <var>resulting feature policy</var>.</p></li>
</ol>

</div>

<p>For <code>meta</code> elements with an <code data-x="attr-meta-http-equiv">http-equiv</code>
attribute in the <span data-x="attr-meta-http-equiv-feature-policy">Feature
policy state</span>, the <code data-x="attr-meta-content">content</code> attribute must have a
value consisting of a <span data-x="feature-policy-syntax">valid feature
policy</span>. The <span data-x="concept-feature-policy">feature policy</span> given in the <code
data-x="attr-meta-content">content</code> attribute will be merged with the <code>Document</code>'s existing, <a href="https://html.spec.whatwg.org/multipage/browsers.html#creating-browsing-contexts:initialize-a-document's-feature-policy">already-initialized</a> <span data-x="concept-feature-policy">feature policy</span>. <ref spec="FEATUREPOLICY"></p>

<div class="example">
<p>This pragma directive disables use of Fullscreen and Geolocation APIs for all subsequent content:</p>

<pre><code class="html" data-x="">&lt;meta http-equiv="Feature-Policy" content="fullscreen 'none'; geolocation 'none'"&gt;</code></pre>

</div>

<div class="note">
<p>Once an allowlist has been declared for a <span data-x="concept-policy-controlled-feature">policy-controlled feature</span> on a <code>Document</code>, either via <code data-x="">Feature-Policy</code> HTTP headers (which are processed first) or via <code data-x="">&lt;meta http-equiv="Feature-Policy"&gt;</code> elements (which are processed later), it is not modifiable. This prevents malicious scripts from loosening feature policies which have been put in place to limit malicious behavior.</p>
</div>

</dd>
</dl>

<p>There must not be more than one <code>meta</code> element with any particular state in the
Expand Down