Comments (3)
I mean, the Origin: header is supplied with each request, thus the web server could supply a dynamic Feature-Policy: that correspond to the server owner's wishes.
It's not. Origin header is completely orthogonal to what target
provides. Think ~CSP..
Target specifies the policy for the provided origin, as set by the embedder. E.g. if the page has an iframe that loads content from foo.com and there is a policy that says that geolocation is disabled for foo.com (as set by the embedder), then this feature will be disabled for that frame.
from webappsec-permissions-policy.
aha, so what you mean is that if foo.com embeds content from example.com, foo.com can then specify a policy that forbids geolocation.
(but example.com cannot specify this)
right?
I think that needs to be clarified in the examples, by replacing "SecureCorp inc" with a domain.
from webappsec-permissions-policy.
Yes, exactly. We're due for an overhaul on the examples.. will do, good feedback -- thanks!
from webappsec-permissions-policy.
Related Issues (20)
- Potential bug in access delegation to cross-origin iframe for feature that has default allowlist value "self"? HOT 2
- allow disabled-by-default features HOT 5
- Does url match expression in origin with redirect count? takes a URL, not an origin HOT 7
- "If the allowlist contains an origin representing self" is unclear HOT 2
- Editorial: "If origin is opaque" needs to use a cross reference
- Inconsistency in text and parsing algorithm (invalid member value)
- Add "mediasession" to the list of permission policies HOT 1
- Set declared policy for powerful features to self by default HOT 9
- A request's "window" is never a Window HOT 1
- methiyaowala HOT 2
- Permissions Policy report missing a document URL HOT 2
- Send reports for Permissions Policy violations in iframe to parent frame's endpoint HOT 19
- > 07881334 2 002065 031525 054161 F-3525824 PANYA YAOWALA ( AIA ) 0107537002761 0872220535 3410200102061 *01401125350 341020009143 3410200102096 41001470 165467 T-078813339 T078813342
- Query: Can trusted subframe allocate permission to one of it's cross-domain subframe HOT 2
- [clipboard] document.execCommand('copy') and presumably paste bypass permissions policy
- Permissions Policy "deferred-fetch"
- JS playgrounds leak permissions. Guidelines and examples needed HOT 10
- Example 3 is misleading/Delegating Trust to Nested Contexts
- Update features.md (e.g., 'storage-access' is missing) HOT 1
- PP header inheritance for local schemes HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webappsec-permissions-policy.