From d2d74351c6761291841da83a6225ac9b8d391c1f Mon Sep 17 00:00:00 2001 From: Eric Portis Date: Fri, 21 Sep 2018 17:16:18 -0700 Subject: [PATCH 1/3] =?UTF-8?q?Add=20=E2=80=9CShould=20request=20be=20allo?= =?UTF-8?q?wed=20to=20use=20feature=E2=80=9D=C2=A0algorithm=20(#129)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- index.bs | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/index.bs b/index.bs index 30461b47..5ea28d56 100644 --- a/index.bs +++ b/index.bs @@ -1188,6 +1188,24 @@ partial interface HTMLIFrameElement { Note: This algorithm should be called when a feature policy has been violated. +
+

Should request be allowed to use feature?

+

Given a feature (feature) and a request (request), this algorithm returns true if the request should be allowed to use feature, and false otherwise.

+
    +
  1. Set |global object| to |request|’s client’s global object.
    2. +
  2. Set |document| to null.
    3. +
  3. If |global object| is a {{Document}}, set |document| to |global object|.
    4. +
  4. If |global object| is a {{Window}}, set |document| to |global object|’s associated `Document`.
    5. +
  5. If |document| is null, return false. +
    How can we enable secure use of policy-controlled features within requests initiated by clients that do not have documents? e.g., from within {{WorkerGlobalScope}}s or {{WorkletGlobalScope}}s, i.e., within Service Workers?
    +
    6. +
  6. Let |origin| be |request|’s URL’s origin.
    7. +
  7. Let |result| be the result of executing Is feature enabled in document for origin? on |feature|, |document|, and |origin|. +
    8. +
  8. If |result| is "Enabled", return true.
    9. +
  9. Otherwise, return false
    10. +
+
From 13710e0adaf107e5d5964530bf039876fe8ea8ca Mon Sep 17 00:00:00 2001 From: Eric Portis Date: Wed, 12 Dec 2018 22:50:22 -0800 Subject: [PATCH 2/3] =?UTF-8?q?Simplify=20getting=20request=E2=80=99s=20wi?= =?UTF-8?q?ndow;=20don=E2=80=99t=20try=20to=20figure=20out=20what=20to=20d?= =?UTF-8?q?o=20in=20no-window=20contexts.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- index.bs | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/index.bs b/index.bs index f526294e..06ed56b7 100644 --- a/index.bs +++ b/index.bs @@ -1057,18 +1057,17 @@ partial interface HTMLIFrameElement {

Should request be allowed to use feature?

Given a feature (feature) and a request (request), this algorithm returns true if the request should be allowed to use feature, and false otherwise.

    -
  1. Set |global object| to |request|’s client’s global object.
    2. -
  2. Set |document| to null.
    3. -
  3. If |global object| is a {{Document}}, set |document| to |global object|.
    4. -
  4. If |global object| is a {{Window}}, set |document| to |global object|’s associated `Document`.
    5. -
  5. If |document| is null, return false. -
    How can we enable secure use of policy-controlled features within requests initiated by clients that do not have documents? e.g., from within {{WorkerGlobalScope}}s or {{WorkletGlobalScope}}s, i.e., within Service Workers?
    +
  6. Set |window| to |request|’s window.
    7. +
  7. If |window| is not a {{Window}}, return false. +
    Feature Policy within `no-window` contexts ({{WorkerGlobalScope}} or {{WorkletGlobalScope}}) is being figured out in issue #207. After that’s resolved, update this algorithm to allow fetches initiated within these contexts to use policy-controlled features. *Until* that’s resolved, disallow all policy-controlled features (e.g., sending Client Hints to third parties) in these contexts.
    +
    Could this algorithm be run before fetching starts, when |request|’s window is still the string `'client'`?
    8. +
  8. Set |document| to |window|’s associated `Document`.
  9. Let |origin| be |request|’s URL’s origin.
  10. Let |result| be the result of executing Is feature enabled in document for origin? on |feature|, |document|, and |origin|.
  11. If |result| is "Enabled", return true.
    12. -
  12. Otherwise, return false
    13. +
  13. Otherwise, return false.
From 584c78ded5ea47db7422ddcb1d72f15ab29af2d5 Mon Sep 17 00:00:00 2001 From: Eric Portis Date: Wed, 23 Jan 2019 09:50:58 -0800 Subject: [PATCH 3/3] =?UTF-8?q?Clean-up=20in=20response=20to=20@yoavweiss?= =?UTF-8?q?=E2=80=99=20comments?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- index.bs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/index.bs b/index.bs index 51a74380..dd590862 100644 --- a/index.bs +++ b/index.bs @@ -1065,10 +1065,9 @@ partial interface HTMLIFrameElement {
  • Set |window| to |request|’s window.
  • If |window| is not a {{Window}}, return false.
    Feature Policy within `no-window` contexts ({{WorkerGlobalScope}} or {{WorkletGlobalScope}}) is being figured out in issue #207. After that’s resolved, update this algorithm to allow fetches initiated within these contexts to use policy-controlled features. *Until* that’s resolved, disallow all policy-controlled features (e.g., sending Client Hints to third parties) in these contexts.
    -
    Could this algorithm be run before fetching starts, when |request|’s window is still the string `'client'`?
  • Set |document| to |window|’s associated `Document`.
    • -
  • Let |origin| be |request|’s URL’s origin.
    • +
  • Let |origin| be |request|’s origin.
  • Let |result| be the result of executing Is feature enabled in document for origin? on |feature|, |document|, and |origin|.
  • If |result| is "Enabled", return true.