Fix Define an inherited policy for feature in container at origin
#501
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The text implies only the inherited policy of the document should be checked, but even if the containing document has the feature enabled the document could set a permissions policy that denied access to the specific origin. We must check the actual policy for the containing document to know. Chrome is already doing this.
|
This looks good, and matches the intention, and, I think, the actual implementation in Chrome. Happy to merge this. Note that this behaviour will change when #480 is fixed -- for that issue, we actually do want a way to block the use of a feature in the current frame, but retain the ability to delegate it to a subframe, but that will require parser changes, as well as support from this algorithm. |
aarongable
pushed a commit
to chromium/chromium
that referenced
this pull request
Jan 9, 2023
I'm fixing the spec to match what chrome does: w3c/webappsec-permissions-policy#501 which is to check both the parent and current origin against the allowlist as well as the inherited policy. The comments here should be updated to reflect what the code actually does the reduce confusion. Bug: 1401055 Change-Id: I078da599b638202aeaf3ea4cbcc9003a911b9612 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4116819 Auto-Submit: Ari Chivukula <[email protected]> Reviewed-by: Ian Clelland <[email protected]> Commit-Queue: Ian Clelland <[email protected]> Cr-Commit-Position: refs/heads/main@{#1090570}
clelland
added a commit
that referenced
this pull request
Jan 11, 2023
#501 Updated the "Is feature enabled in document for origin" algorithm, which left the `policy` variable in that algorithm unused. This removes it.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The text implies only the inherited policy of the document should
be checked, but even if the containing document has the feature
enabled the document could set a permissions policy that denied access
to the specific origin. We must check the actual policy for the
containing document to know. Chrome is already doing this.
We can accomplish this by adapting both 9.8.2 and 9.8.3 to
use
Is feature enabled in document for origin?but have thefirst check the parent origin and the second check the
actual origin.
Preview | Diff