Comments (5)
I like it. I think we should flip the default for cascading though. cascade should be opt-out.
Also, we need a disable attribute on iframe as well?
from webappsec-permissions-policy.
I like it. I think we should flip the default for cascading though. cascade should be opt-out.
Yep, that's what we have currently: http://igrigorik.github.io/feature-policy/#the-target-member
Also, we need a disable attribute on iframe as well?
Yep, see: #11
from webappsec-permissions-policy.
Had an offline chat with @jpchase @clelland @mkruisselbrink today. Quick summary:
- The rough integration sketch in #10 (comment) sounds reasonable.
- One concern is lack of
<meta>
support, opened: #15. - The algorithm that processes tokens probably shouldn't call out to Origin Trials specifically, instead just provide an extension point for other specs to hook into.
- One concern is lack of
- We talked about pro's and con's of hiding interfaces/methods vs throwing exceptions. Agreed that it probably makes sense to hide interfaces for cases like "disable webrtc", less clear on "disable document.cookie" and similar... Need to think about it some more.
Overall though, I think we agreed that it makes sense to explore this further.
Next step: convert #10 (comment) into a concrete proposal.
p.s. @jpchase @clelland @mkruisselbrink please chime in if I'm forgetting anything.
from webappsec-permissions-policy.
Hmm would safer defaults be for enable features not to cascade but disabled features to cascade?
from webappsec-permissions-policy.
Closing this; we broke out the various pieces of #9 (comment) into separate threads.
from webappsec-permissions-policy.
Related Issues (20)
- can anyone help me?
- support <meta http-equiv> mechanism to set the policy HOT 2
- document.featurePolicy vs document.permissionsPolicy HOT 2
- Clarify the expected usage of "Should request be allowed to use feature?"
- Potential bug in access delegation to cross-origin iframe for feature that has default allowlist value "self"? HOT 2
- allow disabled-by-default features HOT 5
- Does url match expression in origin with redirect count? takes a URL, not an origin HOT 7
- "If the allowlist contains an origin representing self" is unclear HOT 2
- Editorial: "If origin is opaque" needs to use a cross reference
- Inconsistency in text and parsing algorithm (invalid member value)
- Add "mediasession" to the list of permission policies HOT 1
- Set declared policy for powerful features to self by default HOT 9
- A request's "window" is never a Window HOT 1
- methiyaowala HOT 2
- Permissions Policy report missing a document URL HOT 2
- Send reports for Permissions Policy violations in iframe to parent frame's endpoint HOT 19
- > 07881334 2 002065 031525 054161 F-3525824 PANYA YAOWALA ( AIA ) 0107537002761 0872220535 3410200102061 *01401125350 341020009143 3410200102096 41001470 165467 T-078813339 T078813342
- Query: Can trusted subframe allocate permission to one of it's cross-domain subframe HOT 2
- [clipboard] document.execCommand('copy') and presumably paste bypass permissions policy
- Permissions Policy "deferred-fetch"
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from webappsec-permissions-policy.