Architecture discussion: Document Policies

[clelland]

As mentioned in https://github.com/w3c/webappsec-feature-policy/issues/282#issuecomment-486267212, there's interest in splitting different types of policies out into different pieces of FP. I'm going to try to define the 'document policies' piece here, and leave the other two to their own issues. This issue can become the central bikeshed for that behaviour.

The key difference between document policies and the other two pieces is that these would be set by a header, and would apply only to the document returned with that header. Nested children and popups would not have to adhere to the same policy.

Document policies don't need allowlists, since they only apply to the single document which declares them. This makes it significantly easier to make these features parametric, without getting into convoluted header syntax.

Each of these features should have some default state, which is used if another value is not declared. This default should generally align with the existing behaviour of the open web platform. (For example, a feature restricting use of document.write should have a default which allows its use. A feature restricting oversized images would have a default which allows all images to be embedded.)

This seems like the safest way to define policies like document-write, which might otherwise be too dangerous to allow documents to impose on their nested children. (And which would likely have little benefit in any case)

The "no nested children" aspect would have to be modified for child frames with about:blank, data: and blob: urls. Those should, by default, use the same policy as their parent document.

[clelland]

I've taken the ideas from this, and #300, and combined them into a proposal here: #328