Integrate feature policy #177
Conversation
This adds a policy-controlled feature, named 'sync-xhr', which can be disabled in a document to turn off synchronous requests for that document (and documents in all descendant frames). Calling send() on a synchronous request in a document where sync-xhr is disabled will result in a NetworkError being thrown.
|
As written, this depends on whatwg/html#3287 so that 'allowed to use' can reference a policy-controlled feature, and not just an attribute name. |
xhr.bs
Outdated
|
|
||
| <p>The feature name for <a>Synchronous XMLHttpRequest</a> is "sync-xhr". | ||
|
|
||
| <p>The default allowlist for Synchronous XMLHttpRequest is <code>*</code>. |
There was a problem hiding this comment.
<a> is omitted for "Synchronous XMLHttpRequest" intentionally? just checking.
There was a problem hiding this comment.
Nope, missed the markup there. Thanks.
xhr.bs
Outdated
| <a>responsible document</a> and it is <em>not</em> | ||
| <a>allowed to use</a> the <a>Synchronous XMLHttpRequest</a> | ||
| feature, then run <a>handle response end-of-body</a> for a <a>network | ||
| error</a> and return. |
There was a problem hiding this comment.
It seems nicer to throw during open(), no?
There was a problem hiding this comment.
That would be surprising to developers, I think -- there aren't currently any cases of a NetworkError being thrown during open(), since the fetch algorithm isn't called until send(). Since this policy can be imposed on pages which were written before this proposal, it seems that using an existing failure pattern is less likely to result in unforseen behaviour on the page.
I had originally proposed throwing an InvalidAccessError during open(), to align with the note at https://xhr.spec.whatwg.org/#sync-warning, but the rough consensus at TPAC (I wasn't actually present, this is second-hand) was around emulating a network-layer-error instead.
There was a problem hiding this comment.
Well yeah, I wouldn't want to throw a NetworkError there. I wonder what rationale was given in that discussion. Who would we ask?
There was a problem hiding this comment.
Note that InvalidAccessError would also be consistent with step 10 of open() today.
There was a problem hiding this comment.
I'll ask on #178, and see if we can find out who was there, and if this accurately reflects the consensus.
There was a problem hiding this comment.
https://chromium.googlesource.com/chromium/src/+/40126a62123c1e8704b2f92a6ef54eb3e6ce52db/third_party/WebKit/Source/core/xmlhttprequest/XMLHttpRequest.cpp#695 now throws InvalidAccessError in open(), which I think makes sense, has this been resolved but the comment thread just left open?
There was a problem hiding this comment.
https://chromium-review.googlesource.com/c/chromium/src/+/804057 changes it from InvalidAccessError to NetworkError, and causes it to occur on send(), like other network conditions would.
xhr.bs
Outdated
| <h3 id=feature-policy>Feature Policy Integration</h3> | ||
|
|
||
| <p>This specification defines a policy-controlled feature named <dfn>Synchronous | ||
| XMLHttpRequest</dfn>. |
There was a problem hiding this comment.
Are all features supposed to follow this naming convention?
There was a problem hiding this comment.
I wanted to decouple the name of the feature from the character string used to denote it in policies
The spec just says that there are policy-controlled features, and they have a feature name, which is defined in the ABNF as 1*( ALPHA / DIGIT / "-")
xhr.bs
Outdated
| <p>This specification defines a policy-controlled feature named <dfn>Synchronous | ||
| XMLHttpRequest</dfn>. | ||
|
|
||
| <p>The feature name for <a>Synchronous XMLHttpRequest</a> is "sync-xhr". |
There was a problem hiding this comment.
xref "feature name"
And make it "<code>sync-xhr</code>".
There was a problem hiding this comment.
Done. (I've added explicit anchors for the unexported dfns until I fix up the FP spec to export those terms properly)
xhr.bs
Outdated
|
|
||
| <p>The feature name for <a>Synchronous XMLHttpRequest</a> is "sync-xhr". | ||
|
|
||
| <p>The default allowlist for Synchronous XMLHttpRequest is <code>*</code>. |
There was a problem hiding this comment.
xref "default allowlist" (elsewhere we use safelist for things like this, is this different enough to use a new name?)
There was a problem hiding this comment.
I hadn't noticed 'safelist' being used in this context, and I'm not sure if 'safety' is the concept we're trying to convey in any case.
Originally the feature policy spec used 'whitelist', and early reviews suggested we switch to 'allowlist' to match some other specs (I don't recall which; perhaps Web Authentication?)
I'm sure this is open to change, but that should probably happen on the FP issues list :)
There was a problem hiding this comment.
WebAuthn doesn't seem to use it.
There was a problem hiding this comment.
w3c/webauthn#327 -- apparently not anymore (I still don't remember if this was the spec that was brought up, could be a complete coincidence)
xhr.bs
Outdated
|
|
||
| <p>When disabled in a document, calling send() on an XMLHttpRequest object with | ||
| the synchronous flag set MUST cause a DOMException named | ||
| <code>NetworkError</code> to be thrown. |
There was a problem hiding this comment.
Please remove this. We don't want duplicate requirements.
* Fix references and markup * Remove duplicated requirement text
|
In particular I was wondering if a feature is always named "Uppercase Feature" or "Uppercase feature" rather than just "uppercase feature" which would be "synchronous XMLHttpRequest" here. Introducing that as a "feature named X" and then saying X has a feature name is somewhat confusing by the way. Maybe it makes more sense to call one the feature name and the other the identifier. |
|
There isn't a standard for naming features -- I've generally used whatever seems to sound right in prose -- and this is really the first time that the name of a feature and it's "feature name" string have diverged, since neither seems appropriate in the other's place. (And I agree that it is confusing to call the character string that goes into policies the "feature name". I've opened w3c/webappsec-permissions-policy#125 to address that. I'll submit PRs to all of the specs that have included that text once we have settled on a better term to use) |
|
FWIW I would probably just remove the feature name concept entirely and only use the web-developer-facing string ("feature identifier") throughout all specs. Having two 1:1 things, one of which is never exposed to either browser developers or web developers, seems confusing. |
|
Agreed, and fixed with the latest commit. |
xhr.bs
Outdated
| @@ -29,6 +29,9 @@ spec:dom; type:interface; text:Document | |||
| <pre class=anchors> | |||
| urlPrefix: https://w3c.github.io/DOM-Parsing/; spec: dom-parsing | |||
| type: dfn; text: fragment serializing algorithm; url: dfn-fragment-serializing-algorithm | |||
| urlPrefix: https://wicg.github.io/feature-policy/; spec: FEATURE-POLICY | |||
| type: dfn; text: policy-controlled feature; url: policy-controlled-feature | |||
| type: dfn; text: default allowlist; url: default-allowlist | |||
There was a problem hiding this comment.
These should be properly exported by Feature Policy directly. This anchors block is only there for legacy.
There was a problem hiding this comment.
They've been exported for a while -- or at least I thought they were :( Filed speced/bikeshed#1173 to get that indexed for use in bikeshed.
xhr.bs
Outdated
| <li> | ||
| <p>If <a>context object</a>'s <a>relevant settings object</a> has a | ||
| <a>responsible document</a> and it is <em>not</em> <a>allowed to use</a> the | ||
| <code><a>sync-xhr</a></code> feature, then run <a>handle response |
There was a problem hiding this comment.
If this is meant to be a string I think it should be "<code><a>sync-xhr</a></code>" here and below. That's how you write down strings per Infra.
Also, no wrapping inside phrasing elements.
There was a problem hiding this comment.
Oh, also, since the <p> is the only child you need to do <li><p>....
xhr.bs
Outdated
|
|
||
| <p>This specification defines a <a>policy-controlled feature</a> identified by | ||
| the string <code><dfn>sync-xhr</dfn></code>. Its <a>default allowlist</a> is | ||
| <code>*</code>. |
There was a problem hiding this comment.
More can be on one line here. Please use 100 columns for new/modified text.
xhr.bs
Outdated
| <p>This specification defines a <a>policy-controlled feature</a> identified by | ||
| the string <code><dfn>sync-xhr</dfn></code>. Its <a>default allowlist</a> is | ||
| <code>*</code>. | ||
|
|
There was a problem hiding this comment.
You want an extra newline here for consistency.
xhr.bs
Outdated
| @@ -1021,6 +1025,12 @@ method must run these steps: | |||
| <p>Otherwise, if the <a>synchronous flag</a> is set, run these substeps: | |||
|
|
|||
| <ol> | |||
| <li> | |||
| <p>If <a>context object</a>'s <a>relevant settings object</a> has a | |||
| <a>responsible document</a> and it is <em>not</em> <a>allowed to use</a> the | |||
There was a problem hiding this comment.
Should this be "and that"/"which is"? To me it seems that "it" refers to a settings object here.
There was a problem hiding this comment.
Fixed -- that was ambiguous, thanks.
* Clarify which object is tested for "allowed to use" * Denote strings correctly * Formatting
|
You also might want to associate [email protected] with your GitHub account and add your name to the Acknowledgments section of the standard. |
|
@annevk, there are web-platform-tests for this already committed; you can see the results at https://wpt.fyi/xhr/xmlhttprequest-sync-default-feature-policy.sub.html (It fails in Chrome 63, but should pass in 65) Are there additional tests you'd like to see? I'll see about filing bugs in other places where I can do that. |
|
That's good enough I think. Other interesting tests might be header-based / same-origin restrictions. |
|
I noticed one more nit. We use sentence casing for headers. I'm not entirely sure if that means "Feature Policy integration" or "Feature policy integration" though. I'm guessing the former makes the most sense. |
|
Doesn't this depend on whatwg/html#3287 which is still not merged? :-/ |
|
@domenic see the commit message. |
Preview | Diff