Comments (6)
It's a bit out of date, but from our existing draft...
Future versions of this document may define additional such members and user agents must ignore unknown members when parsing the object.
I feel pretty strongly that we should be ignoring, for the sake of future compatibility, any unrecognized feature names. This way, any implementation can add new features that only they support, and other browsers can ignore them.
Agreed.
Similarly (though less strongly,) if we see an origin that we don't recognize, or doesn't even look like an origin, we should ignore that as well. Currently, we have two non-originy-origins, "self" and "*". I can imagine that in the future, there might be a need for a third one, or that some browsers may recognize as origins strings that other ones don't. In that case, it would be best to ignore them if we encounter them.
Agreed.
On the other hand, some errors might render a whole part of the feature policy string unusable.
Three cases here..
- Malformed JFV -> abort entire policy.
- Valid JFV but invalid format (e.g. not an Array): we can ignore the directive, or abort the policy.
- Valid JFV and policy format but unrecognized feature/origin values.. ignore feature and all of its origins or just the origin we don't recognize.
from webappsec-permissions-policy.
I don't have strong opinions on this, but it sounds kind of like CSS parsing error handling. There's a lot we did wrong there, so it'd be good to avoid the same mistakes. @tabatkins @esprehn might have thoughts from CSS land.
I agree that unknown features and unknown origins should be ignored.
from webappsec-permissions-policy.
CSS did two big things right:
- Defined error-handling in a good way such that you can pick up and keep going at the next reasonable spot; this lets us introduce totally new types of syntax that were unexpected before (like the new
--foo
properties). - Allow most named things to be repeated, with only the last recognized repetition being used. This way you can write something both in the hot-new-syntax, and in the old syntax that doesn't have as much features, and have it work in both old and new agents.
It's fine to not go quite as hard on 1, and enforce reasonable syntax forms if the syntax is expected to be very stable. I think this is just JSON? If so, anything that's invalid JSON should be ignored, and valid JSON that has the wrong "shape" should have the wrong-shaped parts ignored, but the rest kept. (In your example, the "geolocation" key should be ignored for not having an Array value, but other keys should be kept.)
Adding 2 would be great, so you can specify multiple "geolocation" keys and we use the last one that's recognized - that way we can add the new object form in the future and still provide a less-powerful array value for legacy UAs.
from webappsec-permissions-policy.
Yeah...that matches my intuition as well. We shouldn't have a custom parser here. Let's just have normal JSON. That seems good for the platform as a whole to minimize custom parsing. Any keys or values that are invalid are just ignored.
That work for everyone?
from webappsec-permissions-policy.
👍
from webappsec-permissions-policy.
The result of this discussion has informed the newest updates to the spec. The parsing algorithms in https://wicg.github.io/feature-policy/#algorithms encode this behaviour:
- If the header is invalid JSON, or does not contain objects, then the resulting declared policy is empty
- Ignore unparsable directives
- Defer to JSON for handling of duplicate keys
- Ignore unrecognized features
- Ignore features with unparsable allowlists
- Ignore unparsable origins
from webappsec-permissions-policy.
Related Issues (20)
- can anyone help me?
- support <meta http-equiv> mechanism to set the policy HOT 2
- document.featurePolicy vs document.permissionsPolicy HOT 2
- Clarify the expected usage of "Should request be allowed to use feature?"
- Potential bug in access delegation to cross-origin iframe for feature that has default allowlist value "self"? HOT 2
- allow disabled-by-default features HOT 5
- Does url match expression in origin with redirect count? takes a URL, not an origin HOT 7
- "If the allowlist contains an origin representing self" is unclear HOT 2
- Editorial: "If origin is opaque" needs to use a cross reference
- Inconsistency in text and parsing algorithm (invalid member value)
- Add "mediasession" to the list of permission policies HOT 1
- Set declared policy for powerful features to self by default HOT 9
- A request's "window" is never a Window HOT 1
- methiyaowala HOT 2
- Permissions Policy report missing a document URL HOT 2
- Send reports for Permissions Policy violations in iframe to parent frame's endpoint HOT 19
- > 07881334 2 002065 031525 054161 F-3525824 PANYA YAOWALA ( AIA ) 0107537002761 0872220535 3410200102061 *01401125350 341020009143 3410200102096 41001470 165467 T-078813339 T078813342
- Query: Can trusted subframe allocate permission to one of it's cross-domain subframe HOT 2
- [clipboard] document.execCommand('copy') and presumably paste bypass permissions policy
- Permissions Policy "deferred-fetch"
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webappsec-permissions-policy.