From 67bc949cc2f8e9be7abb28a34f243a1b59d3616b Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Tue, 20 Dec 2022 14:18:22 +0000 Subject: [PATCH 1/3] Fix `Define an inherited policy for feature in container at origin` The text implies only the inherited policy of the document should be checked, but even if the containing document has the feature enabled the document could set a permissions policy that denied access to the specific origin. We must check the actual policy for the containing document to know. Chrome is already doing this. --- index.bs | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/index.bs b/index.bs index 96fdc3aa..d9dd6474 100644 --- a/index.bs +++ b/index.bs @@ -921,8 +921,9 @@ partial interface HTMLIFrameElement { feature. 1. Let |policy| be |container|'s node document's Permissions Policy - 1. If |policy|'s inherited policy for |feature| is - "Disabled", return "Disabled". + 1. If the result of executing Is feature + enabled in document for origin? on |feature|, |container|'s node document', + and |origin| is "Disabled", return "Disabled". 1. If |feature| is present in |policy|'s declared policy, and the allowlist for |feature| in |policy|'s declared policy does not match |origin|, then return "Disabled". From 664f355e183bf3486e580013e7d6f966ce68161e Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Tue, 20 Dec 2022 15:01:23 +0000 Subject: [PATCH 2/3] git --- index.bs | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/index.bs b/index.bs index d9dd6474..cf694552 100644 --- a/index.bs +++ b/index.bs @@ -920,13 +920,14 @@ partial interface HTMLIFrameElement { (|origin|), this algorithm returns the inherited policy for that feature. 1. Let |policy| be |container|'s node document's Permissions - Policy + Policy. + 1. If the result of executing Is feature + enabled in document for origin? on |feature|, |container|'s node document', + and |container|'s node document''s |origin| is "Disabled", + return "Disabled". 1. If the result of executing Is feature enabled in document for origin? on |feature|, |container|'s node document', and |origin| is "Disabled", return "Disabled". - 1. If |feature| is present in |policy|'s declared policy, and the - allowlist for |feature| in |policy|'s declared policy does - not match |origin|, then return "Disabled". 1. Let |container policy| be the result of running Process permissions policy attributes on |container|. 1. If |feature| is a key in |container policy|: From 5247072fda8cf253a1f0e58fdcac2ca87d124d96 Mon Sep 17 00:00:00 2001 From: Ari Chivukula Date: Tue, 20 Dec 2022 15:03:02 +0000 Subject: [PATCH 3/3] fix --- index.bs | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/index.bs b/index.bs index cf694552..dd2b6af4 100644 --- a/index.bs +++ b/index.bs @@ -922,12 +922,13 @@ partial interface HTMLIFrameElement { 1. Let |policy| be |container|'s node document's Permissions Policy. 1. If the result of executing Is feature - enabled in document for origin? on |feature|, |container|'s node document', - and |container|'s node document''s |origin| is "Disabled", - return "Disabled". + enabled in document for origin? on |feature|, |container|'s + node document, and |container|'s node document''s origin + is "Disabled", return "Disabled". 1. If the result of executing Is feature - enabled in document for origin? on |feature|, |container|'s node document', - and |origin| is "Disabled", return "Disabled". + enabled in document for origin? on |feature|, |container|'s + node document, and |origin| is "Disabled", + return "Disabled". 1. Let |container policy| be the result of running Process permissions policy attributes on |container|. 1. If |feature| is a key in |container policy|: