Comments (11)
From the resolution of #7, and commits ed93b0c and bc67bf9, it looks like the resolution is actually that requests never include the policy; it's a response header only.
from webappsec-permissions-policy.
I think we probably want some way to send these in request headers, but I'm concerned that if it's the default it will be a lot of wasted bytes on every network request.
from webappsec-permissions-policy.
tl;dr: I think we can revert those changes; we should advertise the active policy.
A brief history...
Originally, the thought was that we should advertise the active policy and have the server reflect back ("ack") the policy in the response; absence of such reflected policy would then block the response. This was modeled after the embedded-csp proposal. Then, after discussing it some more, we realized that the "ack" is hard to implement for many + basically unnecesasry: we don't need to block the resource, we enforce the policy by restricting access to APIs. Given that, we dropped the header because it seemed unnecessary.
Later (through various conversations at BlinkOn) we identified that advertising the policy is, in fact, very useful after all, as it provides a signal to the embedee for what policies will be enforced on its content. So, I think we revert the earlier commits and drop the 'reflect' bits..
I think we probably want some way to send these in request headers, but I'm concerned that if it's the default it will be a lot of wasted bytes on every network request.
The FP request header would only be present on pages that specify a Feature-Policy; it's an opt-in header. I think this fine.
from webappsec-permissions-policy.
I think we probably want some way to send these in request headers, but I'm concerned that if it's the default it will be a lot of wasted bytes on every network request.
The FP request header would only be present on pages that specify a Feature-Policy; it's an opt-in header. I think this fine.
Imagine a future world in which almost every page is using FP. Now it's not fine anymore. This isn't theoretical, this might actually happen.
Could we start with just exposing the active policy to the main HTML resource of each frame and to JS? Then pages can do what they want for subresources (e.g. put in a cookie, append as query parameters to URLs, etc).
from webappsec-permissions-policy.
Then pages can do what they want for subresources (e.g. put in a cookie, append as query parameters to URLs, etc).
In which case they're worse off, since headers would be compressed via HPACK (h2), whereas their cookies and query string params would only make the problem worse... shrug
I'm not against this, but it feels like we're micro-optimizing.
from webappsec-permissions-policy.
Cookies are in the header, and should probably compress slightly better than the FP header, which isn't in the static header field list. The problem with them is that you shouldn't be able to set cookies for third-party content, so you have to fall back to URLs anyway.
from webappsec-permissions-policy.
Imagine a future world in which almost every page is using FP. Now it's not fine anymore. This isn't theoretical, this might actually happen.
Origin-Policy looks like a promising solution to address this: https://mikewest.github.io/origin-policy/
from webappsec-permissions-policy.
As I'm working on this, ran across an interesting case. Consider this...
Feature-Policy: {"disable":["webrtc"], "target":["https://example.com"]},
{"enable":["vibrate"], "target":
["https://foo.com", "https://bar.com"]}
<iframe src="https://foo.com/thing"></iframe>
- Disable is always propagated down - e.g. if parent disables webrtc on example.com, then foo.com embedee automatically inherits same policy.
- Should enable policy be propagated down as well?
- Embedder delegates access to Vibrate API to foo.com
- Embedder delegates access to Vibrate API to bar.com
Does the above mean that embedder enabled self -> foo.com -> bar.com? OR, does the enable policy only apply for the context that sets it and bar.com does not automagically propagate down to foo.com. In other words, can embedder delegate permission on behalf of the embedee? As currently written in 3e3acb6 this is allowed. Should it be?
/cc @raymeskhoury @noncombatant
from webappsec-permissions-policy.
Based on a VC chat today: the initial take is that enable should not propagate down. So, in above example foo.com would have to explicitly (re)enable bar.com if it wants to delegate permission to it.
from webappsec-permissions-policy.
For v1 (see #43) we're targeting a small set of ~permissions features, which don't (strictly) need this advertisement. For v2+, once we tackle features that are default on and don't have a permissions prompt.. we'll need to (a) provide some JS mechanism to query status and (b) send the request header policy.
from webappsec-permissions-policy.
Closing this as this is tackled by newer issues around sandboxing.
from webappsec-permissions-policy.
Related Issues (20)
- Potential bug in access delegation to cross-origin iframe for feature that has default allowlist value "self"? HOT 2
- allow disabled-by-default features HOT 5
- Does url match expression in origin with redirect count? takes a URL, not an origin HOT 7
- "If the allowlist contains an origin representing self" is unclear HOT 2
- Editorial: "If origin is opaque" needs to use a cross reference
- Inconsistency in text and parsing algorithm (invalid member value)
- Add "mediasession" to the list of permission policies HOT 1
- Set declared policy for powerful features to self by default HOT 9
- A request's "window" is never a Window HOT 1
- methiyaowala HOT 2
- Permissions Policy report missing a document URL HOT 2
- Send reports for Permissions Policy violations in iframe to parent frame's endpoint HOT 19
- > 07881334 2 002065 031525 054161 F-3525824 PANYA YAOWALA ( AIA ) 0107537002761 0872220535 3410200102061 *01401125350 341020009143 3410200102096 41001470 165467 T-078813339 T078813342 HOT 1
- Query: Can trusted subframe allocate permission to one of it's cross-domain subframe HOT 2
- [clipboard] document.execCommand('copy') and presumably paste bypass permissions policy
- Permissions Policy "deferred-fetch"
- JS playgrounds leak permissions. Guidelines and examples needed HOT 10
- Example 3 is misleading/Delegating Trust to Nested Contexts
- Update features.md (e.g., 'storage-access' is missing) HOT 1
- PP header inheritance for local schemes HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webappsec-permissions-policy.