Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Architecture discussion: Document Policies #299

Closed
clelland opened this issue Apr 24, 2019 · 1 comment
Closed

Architecture discussion: Document Policies #299

clelland opened this issue Apr 24, 2019 · 1 comment

Comments

@clelland
Copy link
Collaborator

As mentioned in https://github.com/w3c/webappsec-feature-policy/issues/282#issuecomment-486267212, there's interest in splitting different types of policies out into different pieces of FP. I'm going to try to define the 'document policies' piece here, and leave the other two to their own issues. This issue can become the central bikeshed for that behaviour.

The key difference between document policies and the other two pieces is that these would be set by a header, and would apply only to the document returned with that header. Nested children and popups would not have to adhere to the same policy.

Document policies don't need allowlists, since they only apply to the single document which declares them. This makes it significantly easier to make these features parametric, without getting into convoluted header syntax.

Each of these features should have some default state, which is used if another value is not declared. This default should generally align with the existing behaviour of the open web platform. (For example, a feature restricting use of document.write should have a default which allows its use. A feature restricting oversized images would have a default which allows all images to be embedded.)

This seems like the safest way to define policies like document-write, which might otherwise be too dangerous to allow documents to impose on their nested children. (And which would likely have little benefit in any case)

The "no nested children" aspect would have to be modified for child frames with about:blank, data: and blob: urls. Those should, by default, use the same policy as their parent document.

@clelland
Copy link
Collaborator Author

I've taken the ideas from this, and #300, and combined them into a proposal here: #328

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants