New issue
Advanced search Search tips
Starred by 22 users

Issue metadata

Status: Fixed
Owner:
Closed: Feb 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Task
Launch-Accessibility: NotReviewed
Launch-Legal: NotReviewed
Launch-M-Target: 59-Dev , 59-Beta , 59-Stable-Exp , 59-Stable


Sign in to add a comment
link

Issue 623682: Launch Feature Policy

Reported by iclell...@chromium.org, Jun 27 2016 Project Member

Issue description

Change description:
Implement a framework to allow site owners to selectively enable and disable web platform features on their pages. By setting a response HTTP header, site owners can disable parts of the web platform on their pages, including in embedded third party content.

Changes to API surface:
- New HTTP header: Feature-Policy
- Optionally disabled features: (Completely removed, or permission denied, as necessary. This list is subject to change as the spec settles)
   - document.cookie
   - document.domain
   - document.write/writeln
   - geolocation
   - MIDI
   - notifications
   - push
   - synchronous scripts
   - synchronous XHR
   - WebRTC


Links:
Draft Spec: https://wicg.github.io/feature-policy/
Public standards discussion: All discussions are currently at https://github.com/igrigorik/feature-policy/issues

Support in other browsers:
Internet Explorer: No
Firefox: No
Safari: No
No current support, but other browser vendors have been positive towards the idea.
 

Comment 1 by l.gom...@samsung.com, Jul 8 2016

> Implement a framework to allow site owners to selectively enable and disable web platform features 

I do not see any wording in the referenced spec that would also allow opting in for features - the spec seems to only referencing disabling features.

Comment 2 by wou...@interpotential.com, Jul 9 2016

The header would probably have to specify whether it's a whitelist or blacklist.

Comment 3 Deleted

Comment 4 by iclell...@chromium.org, Aug 5 2016

Blockedon: 634921

Comment 5 by csharrison@chromium.org, Aug 16 2016

Blocking: 637874

Comment 6 by iclell...@chromium.org, Aug 16 2016

Blockedon: 638238

Comment 7 by iclell...@chromium.org, Aug 16 2016

Blockedon: 638240

Comment 8 by iclell...@chromium.org, Nov 1 2016

Blockedon: 661271

Comment 9 by iclell...@chromium.org, Nov 1 2016

Blockedon: 661273

Comment 10 by iclell...@chromium.org, Nov 1 2016

Blockedon: 661277

Comment 11 by iclell...@chromium.org, Nov 1 2016

Blockedon: 661280

Comment 12 by iclell...@chromium.org, Nov 1 2016

Blockedon: 661282

Comment 13 by bugdroid1@chromium.org, Nov 3 2016

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7d15b7fc471b33e2d52a45876cb8323a4fb0e780

commit 7d15b7fc471b33e2d52a45876cb8323a4fb0e780
Author: iclelland <iclelland@chromium.org>
Date: Thu Nov 03 16:58:10 2016

[FeaturePolicy] Initial implementation of Feature Policy

This CL adds to each frame (local or remote) a FeaturePolicy object, which can be used to control the exposure and behaviour of web platform features. A frame's policy is computed from the policy declared in the "Feature-Policy" HTTP header, it's parent frame's policy, and the default policy for each feature.

See https://wicg.github.io/feature-policy/ for the specification in development.

Three features from the specification are implemented with this CL: cookie, domain, and docwrite.

(This behaviour is all conditional on the runtime flag for Feature Policy)

Future CLs are going to implement:
 - <iframe> attribute support
 - Layout tests
 - Parser fuzzing
 - Control over additional features

BUG= 623682 

Review-Url: https://codereview.chromium.org/2254533002
Cr-Commit-Position: refs/heads/master@{#429623}

[modify] https://crrev.com/7d15b7fc471b33e2d52a45876cb8323a4fb0e780/third_party/WebKit/Source/bindings/core/v8/ConditionalFeatures.cpp
[modify] https://crrev.com/7d15b7fc471b33e2d52a45876cb8323a4fb0e780/third_party/WebKit/Source/bindings/core/v8/ConditionalFeatures.h
[modify] https://crrev.com/7d15b7fc471b33e2d52a45876cb8323a4fb0e780/third_party/WebKit/Source/core/dom/Document.idl
[modify] https://crrev.com/7d15b7fc471b33e2d52a45876cb8323a4fb0e780/third_party/WebKit/Source/core/frame/Frame.cpp
[modify] https://crrev.com/7d15b7fc471b33e2d52a45876cb8323a4fb0e780/third_party/WebKit/Source/core/frame/Frame.h
[modify] https://crrev.com/7d15b7fc471b33e2d52a45876cb8323a4fb0e780/third_party/WebKit/Source/core/loader/FrameLoader.cpp
[modify] https://crrev.com/7d15b7fc471b33e2d52a45876cb8323a4fb0e780/third_party/WebKit/Source/platform/BUILD.gn
[modify] https://crrev.com/7d15b7fc471b33e2d52a45876cb8323a4fb0e780/third_party/WebKit/Source/platform/RuntimeEnabledFeatures.in
[add] https://crrev.com/7d15b7fc471b33e2d52a45876cb8323a4fb0e780/third_party/WebKit/Source/platform/feature_policy/FeaturePolicy.cpp
[add] https://crrev.com/7d15b7fc471b33e2d52a45876cb8323a4fb0e780/third_party/WebKit/Source/platform/feature_policy/FeaturePolicy.h
[add] https://crrev.com/7d15b7fc471b33e2d52a45876cb8323a4fb0e780/third_party/WebKit/Source/platform/feature_policy/FeaturePolicyTest.cpp
[modify] https://crrev.com/7d15b7fc471b33e2d52a45876cb8323a4fb0e780/third_party/WebKit/Source/platform/network/HTTPNames.in
[modify] https://crrev.com/7d15b7fc471b33e2d52a45876cb8323a4fb0e780/third_party/WebKit/Source/platform/network/HTTPParsers.cpp
[modify] https://crrev.com/7d15b7fc471b33e2d52a45876cb8323a4fb0e780/third_party/WebKit/Source/platform/network/HTTPParsers.h

Comment 14 by iclell...@chromium.org, Nov 9 2016

Blockedon: 663731

Comment 15 by bugdroid1@chromium.org, Nov 10 2016

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/223219ddca24df5f57dfb8c7e286690ad8800d16

commit 223219ddca24df5f57dfb8c7e286690ad8800d16
Author: iclelland <iclelland@chromium.org>
Date: Thu Nov 10 19:15:29 2016

Add CORE_EXPORT to blink::isFeatureEnabledInFrame for Feature Policy

BUG= 623682 

Review-Url: https://codereview.chromium.org/2491353002
Cr-Commit-Position: refs/heads/master@{#431312}

[modify] https://crrev.com/223219ddca24df5f57dfb8c7e286690ad8800d16/third_party/WebKit/Source/bindings/core/v8/ConditionalFeatures.h

Comment 16 by lunalu@chromium.org, Nov 10 2016

Cc: lunalu@chromium.org

Comment 17 by iclell...@chromium.org, Nov 11 2016

Blockedon: 664374

Comment 19 by iclell...@chromium.org, Nov 18 2016

Blockedon: 666761

Comment 20 by iclell...@chromium.org, Nov 18 2016

Blockedon: 666762

Comment 21 by iclell...@chromium.org, Nov 18 2016

Blockedon: 666765

Comment 22 by iclell...@chromium.org, Nov 18 2016

Blockedon: 666767

Comment 23 by iclell...@chromium.org, Nov 18 2016

Labels: Feature-Policy

Comment 24 by bugdroid1@chromium.org, Nov 25 2016

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/11eca67f18be0dfbfcb1703a21abb454e5f85b05

commit 11eca67f18be0dfbfcb1703a21abb454e5f85b05
Author: lunalu <lunalu@chromium.org>
Date: Fri Nov 25 02:09:41 2016

Implementation for feature policy - vibrate.
Disable Navigator.vibrate() unless enabled through feature policy.

Added tests with runtime flag is on

Also modified IsFeatureEnabledInFrame for the case EnableForSelf, should only be enabled when with same origin.

BUG= 623682 

Review-Url: https://codereview.chromium.org/2492623002
Cr-Commit-Position: refs/heads/master@{#434423}

[modify] https://crrev.com/11eca67f18be0dfbfcb1703a21abb454e5f85b05/third_party/WebKit/LayoutTests/VirtualTestSuites
[add] https://crrev.com/11eca67f18be0dfbfcb1703a21abb454e5f85b05/third_party/WebKit/LayoutTests/http/tests/feature-policy/resources/feature-policy-vibrate-disabled.html
[add] https://crrev.com/11eca67f18be0dfbfcb1703a21abb454e5f85b05/third_party/WebKit/LayoutTests/http/tests/feature-policy/resources/feature-policy-vibrate-enabled.html
[add] https://crrev.com/11eca67f18be0dfbfcb1703a21abb454e5f85b05/third_party/WebKit/LayoutTests/http/tests/feature-policy/vibrate-disabled-expected.txt
[add] https://crrev.com/11eca67f18be0dfbfcb1703a21abb454e5f85b05/third_party/WebKit/LayoutTests/http/tests/feature-policy/vibrate-disabled.php
[add] https://crrev.com/11eca67f18be0dfbfcb1703a21abb454e5f85b05/third_party/WebKit/LayoutTests/http/tests/feature-policy/vibrate-enabledforall-expected.txt
[add] https://crrev.com/11eca67f18be0dfbfcb1703a21abb454e5f85b05/third_party/WebKit/LayoutTests/http/tests/feature-policy/vibrate-enabledforall.php
[add] https://crrev.com/11eca67f18be0dfbfcb1703a21abb454e5f85b05/third_party/WebKit/LayoutTests/http/tests/feature-policy/vibrate-enabledforself-expected.txt
[add] https://crrev.com/11eca67f18be0dfbfcb1703a21abb454e5f85b05/third_party/WebKit/LayoutTests/http/tests/feature-policy/vibrate-enabledforself.php
[add] https://crrev.com/11eca67f18be0dfbfcb1703a21abb454e5f85b05/third_party/WebKit/LayoutTests/virtual/feature-policy/http/tests/feature-policy/README.txt
[add] https://crrev.com/11eca67f18be0dfbfcb1703a21abb454e5f85b05/third_party/WebKit/LayoutTests/virtual/feature-policy/http/tests/feature-policy/vibrate-disabled-expected.txt
[add] https://crrev.com/11eca67f18be0dfbfcb1703a21abb454e5f85b05/third_party/WebKit/LayoutTests/virtual/feature-policy/http/tests/feature-policy/vibrate-enabledforall-expected.txt
[add] https://crrev.com/11eca67f18be0dfbfcb1703a21abb454e5f85b05/third_party/WebKit/LayoutTests/virtual/feature-policy/http/tests/feature-policy/vibrate-enabledforself-expected.txt
[add] https://crrev.com/11eca67f18be0dfbfcb1703a21abb454e5f85b05/third_party/WebKit/LayoutTests/virtual/feature-policy/http/tests/feature-policy/vibrate_in_cross_origin_iframe_blocked-expected.txt
[modify] https://crrev.com/11eca67f18be0dfbfcb1703a21abb454e5f85b05/third_party/WebKit/Source/bindings/core/v8/ConditionalFeatures.cpp
[modify] https://crrev.com/11eca67f18be0dfbfcb1703a21abb454e5f85b05/third_party/WebKit/Source/modules/vibration/NavigatorVibration.cpp

Comment 25 by iclell...@chromium.org, Jan 3 2017

Components: Blink>FeaturePolicy

Comment 26 by jmedley@chromium.org, Jan 4 2017

Labels: -M-54

Comment 27 by lunalu@chromium.org, Jan 9 2017

Blockedon: 679385

Comment 28 by raymes@chromium.org, Feb 28 2017

Blockedon: 696819

Comment 29 by iclell...@chromium.org, Mar 21 2017

Blockedon: -661271

Comment 30 by iclell...@chromium.org, Mar 21 2017

Blockedon: -664374

Comment 31 by iclell...@chromium.org, Mar 21 2017

Blockedon: -666767

Comment 32 by iclell...@chromium.org, Mar 24 2017

Blockedon: 704904

Comment 33 by iclell...@chromium.org, Mar 24 2017

Blockedon: -661280

Comment 34 by iclell...@chromium.org, Mar 24 2017

Blockedon: -666765

Comment 35 by iclell...@chromium.org, Mar 24 2017

Labels: Launch-M-Target-59-Dev Launch-M-Target-59-Beta Launch-M-Target-59-Stable-Exp Launch-M-Target-59-Stable Launch-Status-Review-Requested
This is essentially feature complete -- there is still some ongoing engineering, but I think this is the time I'm supposed to request X-Functional review.

Comment 36 by iclell...@chromium.org, Mar 24 2017

Blink intent-to-ship: https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/uKO1CwiY3ts

The spec has been moved since this bug was filed, and now lives at https://wicg.github.io/feature-policy/

Additionally, the features which are initially going to be controlled by policy has been cut back. For M57, we are looking to support three features:
  - Fullscreen
  - PaymentRequest
  - Vibrate

Comment 37 by lunalu@chromium.org, Mar 24 2017

https://github.com/w3c/web-platform-tests/pull/5055

Planning to write more web platform tests (e.g., when both allow="fullscreen" and allowfullscreen are present).

Comment 38 by scheib@chromium.org, Mar 27 2017

Description: Show this description

Comment 39 by iclell...@chromium.org, Mar 27 2017

Blockedon: 705658

Comment 40 by reillyg@chromium.org, Apr 13 2017

Blocking: 711443

Comment 41 by iclell...@chromium.org, Apr 20 2017

Blockedon: 713364

Comment 42 by iclell...@chromium.org, Apr 28 2017

Blockedon: 716478

Comment 43 by iclell...@chromium.org, May 3 2017

Blockedon: 718155

Comment 44 by iclell...@chromium.org, May 3 2017

Blockedon: 718160

Comment 45 by bugdroid1@chromium.org, May 12 2017

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8f64c57f0ae067e658a1d903fbbf5cbdb44e135e

commit 8f64c57f0ae067e658a1d903fbbf5cbdb44e135e
Author: lunalu <lunalu@chromium.org>
Date: Fri May 12 16:38:25 2017

Enable Feature Policy without experimental features or fullscreen

Intent to ship: https://groups.google.com/a/chromium.org/forum/?hl=en#!searchin/blink-dev/intent$20to$20ship$20feature$20policy/blink-dev/uKO1CwiY3ts/62vV7xmaCQAJ

BUG= 623682 

patch from issue 2864723002 at patchset 20001 (http://crrev.com/2864723002#ps20001)

Review-Url: https://codereview.chromium.org/2873433002
Cr-Commit-Position: refs/heads/master@{#471329}

[modify] https://crrev.com/8f64c57f0ae067e658a1d903fbbf5cbdb44e135e/content/browser/site_per_process_browsertest.cc
[modify] https://crrev.com/8f64c57f0ae067e658a1d903fbbf5cbdb44e135e/content/public/common/content_features.cc
[modify] https://crrev.com/8f64c57f0ae067e658a1d903fbbf5cbdb44e135e/third_party/WebKit/LayoutTests/TestExpectations
[delete] https://crrev.com/f14c1e33e651019be3557f43121aff4a445c00b2/third_party/WebKit/LayoutTests/external/wpt/payment-request/allowpaymentrequest/allowpaymentrequest-attribute-same-origin-bc-containers.https-expected.txt
[delete] https://crrev.com/f14c1e33e651019be3557f43121aff4a445c00b2/third_party/WebKit/LayoutTests/external/wpt/payment-request/allowpaymentrequest/no-attribute-same-origin-bc-containers.https-expected.txt
[delete] https://crrev.com/f14c1e33e651019be3557f43121aff4a445c00b2/third_party/WebKit/LayoutTests/external/wpt/payment-request/allowpaymentrequest/removing-allowpaymentrequest.https.sub-expected.txt
[delete] https://crrev.com/f14c1e33e651019be3557f43121aff4a445c00b2/third_party/WebKit/LayoutTests/external/wpt/payment-request/allowpaymentrequest/setting-allowpaymentrequest.https.sub-expected.txt
[delete] https://crrev.com/f14c1e33e651019be3557f43121aff4a445c00b2/third_party/WebKit/LayoutTests/http/tests/feature-policy/payment-allowed-by-container-policy-expected.txt
[delete] https://crrev.com/f14c1e33e651019be3557f43121aff4a445c00b2/third_party/WebKit/LayoutTests/http/tests/feature-policy/payment-allowed-by-container-policy-relocate-expected.txt
[delete] https://crrev.com/f14c1e33e651019be3557f43121aff4a445c00b2/third_party/WebKit/LayoutTests/http/tests/feature-policy/payment-disabled-expected.txt
[delete] https://crrev.com/f14c1e33e651019be3557f43121aff4a445c00b2/third_party/WebKit/LayoutTests/http/tests/feature-policy/payment-enabledforall-expected.txt
[delete] https://crrev.com/f14c1e33e651019be3557f43121aff4a445c00b2/third_party/WebKit/LayoutTests/http/tests/feature-policy/payment-enabledforself-expected.txt
[modify] https://crrev.com/8f64c57f0ae067e658a1d903fbbf5cbdb44e135e/third_party/WebKit/LayoutTests/platform/mac/virtual/stable/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/8f64c57f0ae067e658a1d903fbbf5cbdb44e135e/third_party/WebKit/LayoutTests/platform/win/virtual/stable/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/8f64c57f0ae067e658a1d903fbbf5cbdb44e135e/third_party/WebKit/LayoutTests/virtual/service-worker-navigation-preload-disabled/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/8f64c57f0ae067e658a1d903fbbf5cbdb44e135e/third_party/WebKit/LayoutTests/virtual/stable/webexposed/element-instance-property-listing-expected.txt
[modify] https://crrev.com/8f64c57f0ae067e658a1d903fbbf5cbdb44e135e/third_party/WebKit/LayoutTests/webexposed/element-instance-property-listing-expected.txt
[modify] https://crrev.com/8f64c57f0ae067e658a1d903fbbf5cbdb44e135e/third_party/WebKit/LayoutTests/webexposed/global-interface-listing-expected.txt
[modify] https://crrev.com/8f64c57f0ae067e658a1d903fbbf5cbdb44e135e/third_party/WebKit/Source/core/dom/Fullscreen.cpp
[modify] https://crrev.com/8f64c57f0ae067e658a1d903fbbf5cbdb44e135e/third_party/WebKit/Source/core/html/HTMLIFrameElementAllowTest.cpp
[modify] https://crrev.com/8f64c57f0ae067e658a1d903fbbf5cbdb44e135e/third_party/WebKit/Source/modules/payments/PaymentRequest.cpp
[modify] https://crrev.com/8f64c57f0ae067e658a1d903fbbf5cbdb44e135e/third_party/WebKit/Source/modules/vibration/NavigatorVibration.cpp
[modify] https://crrev.com/8f64c57f0ae067e658a1d903fbbf5cbdb44e135e/third_party/WebKit/Source/platform/RuntimeEnabledFeatures.json5
[modify] https://crrev.com/8f64c57f0ae067e658a1d903fbbf5cbdb44e135e/third_party/WebKit/Source/platform/feature_policy/FeaturePolicy.cpp
[modify] https://crrev.com/8f64c57f0ae067e658a1d903fbbf5cbdb44e135e/third_party/WebKit/Source/platform/feature_policy/FeaturePolicy.h

Comment 46 by scheib@chromium.org, Jun 2 2017

Blocking: 728879

Comment 47 by scheib@chromium.org, Jun 2 2017

Blocking: 518042

Comment 48 by lunalu@chromium.org, Jun 12 2017

Cc: -lunalu@chromium.org loonyb...@chromium.org

Comment 49 by bugdroid1@chromium.org, Aug 17 2017

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/5d8010e1fc081481d0646618e700b51a4699ab4c

commit 5d8010e1fc081481d0646618e700b51a4699ab4c
Author: iclelland <iclelland@chromium.org>
Date: Thu Aug 17 21:47:11 2017

Reenable feature policy control over fullscreen

This CL also changes test expectations to bring the fullscreen tests in
line with the new behaviour prescribed by Feature Policy.

Specifically:
 - Same origin iframes by default have the same ability to use
   fullscreen as their parent frame. Tests which previously only used
   same-origin frame have been changed to verify the new behaviour,
   and new tests in LayoutTests/http/tests have been added to test the
   same situation with cross-origin frames.
 - Dynamic modification of the allowfullscreen flag has no effect until
   the iframe contents are navigated/reloaded.
 - Web platform tests are marked as failing, and should remain so until
   the fullscreen spec is updated fo include the new behaviour.
 - A new Browser test class is created which explicitly disables
   feature policy so that we don't lose coverage for the old behaviour
   when FP is disabled.

BUG= 718155 , 623682 

Review-Url: https://codereview.chromium.org/2898503002
Cr-Commit-Position: refs/heads/master@{#495331}

[modify] https://crrev.com/5d8010e1fc081481d0646618e700b51a4699ab4c/content/browser/site_per_process_browsertest.cc
[modify] https://crrev.com/5d8010e1fc081481d0646618e700b51a4699ab4c/third_party/WebKit/LayoutTests/FlagExpectations/enable-blink-features=LayoutNG
[modify] https://crrev.com/5d8010e1fc081481d0646618e700b51a4699ab4c/third_party/WebKit/LayoutTests/TestExpectations
[add] https://crrev.com/5d8010e1fc081481d0646618e700b51a4699ab4c/third_party/WebKit/LayoutTests/external/wpt/fullscreen/api/document-fullscreen-enabled-cross-origin.sub-expected.txt
[add] https://crrev.com/5d8010e1fc081481d0646618e700b51a4699ab4c/third_party/WebKit/LayoutTests/external/wpt/fullscreen/api/document-fullscreen-enabled-cross-origin.sub.html
[add] https://crrev.com/5d8010e1fc081481d0646618e700b51a4699ab4c/third_party/WebKit/LayoutTests/external/wpt/fullscreen/api/document-fullscreen-enabled-expected.txt
[add] https://crrev.com/5d8010e1fc081481d0646618e700b51a4699ab4c/third_party/WebKit/LayoutTests/external/wpt/fullscreen/api/element-ready-check-allowed-cross-origin-manual.sub.html
[add] https://crrev.com/5d8010e1fc081481d0646618e700b51a4699ab4c/third_party/WebKit/LayoutTests/external/wpt/fullscreen/api/element-ready-check-not-allowed-cross-origin-manual.sub.html
[add] https://crrev.com/5d8010e1fc081481d0646618e700b51a4699ab4c/third_party/WebKit/LayoutTests/external/wpt/fullscreen/api/element-ready-check-not-allowed-manual-expected.txt
[rename] https://crrev.com/5d8010e1fc081481d0646618e700b51a4699ab4c/third_party/WebKit/LayoutTests/external/wpt/fullscreen/api/element-ready-check-not-allowed-manual.html
[add] https://crrev.com/5d8010e1fc081481d0646618e700b51a4699ab4c/third_party/WebKit/LayoutTests/external/wpt/fullscreen/api/resources/attempt-fullscreen.html
[add] https://crrev.com/5d8010e1fc081481d0646618e700b51a4699ab4c/third_party/WebKit/LayoutTests/external/wpt/fullscreen/api/resources/report-fullscreen-enabled.html
[modify] https://crrev.com/5d8010e1fc081481d0646618e700b51a4699ab4c/third_party/WebKit/LayoutTests/external/wpt_automation/fullscreen/auto-click.js
[delete] https://crrev.com/81565fa69c0d5cdd4275fcf9d858f92b5e8aa551/third_party/WebKit/LayoutTests/fullscreen/full-screen-enabled-expected.txt
[delete] https://crrev.com/81565fa69c0d5cdd4275fcf9d858f92b5e8aa551/third_party/WebKit/LayoutTests/fullscreen/full-screen-enabled.html
[delete] https://crrev.com/81565fa69c0d5cdd4275fcf9d858f92b5e8aa551/third_party/WebKit/LayoutTests/fullscreen/full-screen-iframe-legacy-expected.txt
[delete] https://crrev.com/81565fa69c0d5cdd4275fcf9d858f92b5e8aa551/third_party/WebKit/LayoutTests/fullscreen/full-screen-iframe-legacy.html
[delete] https://crrev.com/81565fa69c0d5cdd4275fcf9d858f92b5e8aa551/third_party/WebKit/LayoutTests/http/tests/feature-policy/fullscreen-allowed-by-container-policy-expected.txt
[delete] https://crrev.com/81565fa69c0d5cdd4275fcf9d858f92b5e8aa551/third_party/WebKit/LayoutTests/http/tests/feature-policy/fullscreen-allowed-by-container-policy-relocate-expected.txt
[delete] https://crrev.com/81565fa69c0d5cdd4275fcf9d858f92b5e8aa551/third_party/WebKit/LayoutTests/http/tests/feature-policy/fullscreen-disabled-expected.txt
[delete] https://crrev.com/81565fa69c0d5cdd4275fcf9d858f92b5e8aa551/third_party/WebKit/LayoutTests/http/tests/feature-policy/fullscreen-enabledforall-expected.txt
[delete] https://crrev.com/81565fa69c0d5cdd4275fcf9d858f92b5e8aa551/third_party/WebKit/LayoutTests/http/tests/feature-policy/fullscreen-enabledforself-expected.txt
[add] https://crrev.com/5d8010e1fc081481d0646618e700b51a4699ab4c/third_party/WebKit/LayoutTests/http/tests/fullscreen/resources/inner.html
[add] https://crrev.com/5d8010e1fc081481d0646618e700b51a4699ab4c/third_party/WebKit/LayoutTests/http/tests/fullscreen/resources/legacy.html
[add] https://crrev.com/5d8010e1fc081481d0646618e700b51a4699ab4c/third_party/WebKit/LayoutTests/http/tests/fullscreen/resources/media-file.js
[modify] https://crrev.com/5d8010e1fc081481d0646618e700b51a4699ab4c/third_party/WebKit/LayoutTests/resources/testharnessreport.js
[modify] https://crrev.com/5d8010e1fc081481d0646618e700b51a4699ab4c/third_party/WebKit/Source/platform/feature_policy/FeaturePolicy.cpp

Comment 50 by owe...@chromium.org, Sep 12 2017

Labels: migrated-launch-owp Type-Task
This issue has been automatically relabelled type=task because type=launch-owp issues are now officially deprecated. The deprecation is because they were creating confusion about how to get launch approvals, which should be instead done via type=launch issues.

We recommend this issue be used for implementation tracking (for public visibility), but if you already have an issue for that, you may mark this as duplicate.

For more details see here: https://docs.google.com/document/d/1JA6RohjtZQc26bTrGoIE_bSXGXUDQz8vc6G0n_sZJ2o/edit

For any questions, please contact owencm, sshruthi, larforge

Comment 51 by bugdroid1@chromium.org, Jan 29 2018

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d4291f6edd8424f23dd840d4531a25c40221b84a

commit d4291f6edd8424f23dd840d4531a25c40221b84a
Author: Luna Lu <loonybear@chromium.org>
Date: Mon Jan 29 18:18:50 2018

Add unsized-media to feature policy.

unsized-media sets a default size for laying out intrinsically sized
images / videos.
The feature is allowed for all origins by default.
When disabled, any intrinsically sized images / videos will be using
the default dimension (300 x 150) to prevent relayout.

Bug:  623682 
Change-Id: I1bd105ded2580349e2a2b177e87b70417403cb59
Reviewed-on: https://chromium-review.googlesource.com/865159
Reviewed-by: Chris Harrelson <chrishtr@chromium.org>
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Reviewed-by: Ian Clelland <iclelland@chromium.org>
Commit-Queue: Luna Lu <loonybear@chromium.org>
Cr-Commit-Position: refs/heads/master@{#532496}
[modify] https://crrev.com/d4291f6edd8424f23dd840d4531a25c40221b84a/third_party/WebKit/LayoutTests/VirtualTestSuites
[add] https://crrev.com/d4291f6edd8424f23dd840d4531a25c40221b84a/third_party/WebKit/LayoutTests/external/wpt/feature-policy/experimental-features/resources/feature-policy-image.html
[add] https://crrev.com/d4291f6edd8424f23dd840d4531a25c40221b84a/third_party/WebKit/LayoutTests/external/wpt/feature-policy/experimental-features/resources/image.jpg
[add] https://crrev.com/d4291f6edd8424f23dd840d4531a25c40221b84a/third_party/WebKit/LayoutTests/external/wpt/feature-policy/experimental-features/resources/image.png
[add] https://crrev.com/d4291f6edd8424f23dd840d4531a25c40221b84a/third_party/WebKit/LayoutTests/external/wpt/feature-policy/experimental-features/resources/image.svg
[add] https://crrev.com/d4291f6edd8424f23dd840d4531a25c40221b84a/third_party/WebKit/LayoutTests/external/wpt/feature-policy/experimental-features/resources/video.ogv
[add] https://crrev.com/d4291f6edd8424f23dd840d4531a25c40221b84a/third_party/WebKit/LayoutTests/external/wpt/feature-policy/experimental-features/unsized-image.tentative.https.sub-expected.txt
[add] https://crrev.com/d4291f6edd8424f23dd840d4531a25c40221b84a/third_party/WebKit/LayoutTests/external/wpt/feature-policy/experimental-features/unsized-image.tentative.https.sub.html
[add] https://crrev.com/d4291f6edd8424f23dd840d4531a25c40221b84a/third_party/WebKit/LayoutTests/external/wpt/feature-policy/experimental-features/unsized-image.tentative.https.sub.html.headers
[add] https://crrev.com/d4291f6edd8424f23dd840d4531a25c40221b84a/third_party/WebKit/LayoutTests/virtual/feature-policy-experimental-features/external/wpt/feature-policy/experimental-features/README.txt
[add] https://crrev.com/d4291f6edd8424f23dd840d4531a25c40221b84a/third_party/WebKit/LayoutTests/virtual/feature-policy-experimental-features/external/wpt/feature-policy/experimental-features/unsized-image.tentative.https.sub-expected.txt
[modify] https://crrev.com/d4291f6edd8424f23dd840d4531a25c40221b84a/third_party/WebKit/Source/core/css/resolver/StyleAdjuster.cpp
[modify] https://crrev.com/d4291f6edd8424f23dd840d4531a25c40221b84a/third_party/WebKit/Source/platform/feature_policy/FeaturePolicy.cpp
[modify] https://crrev.com/d4291f6edd8424f23dd840d4531a25c40221b84a/third_party/WebKit/common/feature_policy/feature_policy.cc
[modify] https://crrev.com/d4291f6edd8424f23dd840d4531a25c40221b84a/third_party/WebKit/common/feature_policy/feature_policy.mojom
[modify] https://crrev.com/d4291f6edd8424f23dd840d4531a25c40221b84a/third_party/WebKit/common/feature_policy/feature_policy_feature.h

Comment 52 by rbyers@chromium.org, Jan 31 2018

Now that feature policy has shipped, can we call this bug fixed (in the milestone it launched) and please file new bugs for any new policies or other work?  It's hard to track work for various features when their CLs are all glommed into this one master bug...

Comment 53 by bugdroid1@chromium.org, Feb 5 2018

Project Member
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bb3d0d5849c9c8e5348da40a4833a52946c67b10

commit bb3d0d5849c9c8e5348da40a4833a52946c67b10
Author: Luna Lu <loonybear@chromium.org>
Date: Mon Feb 05 19:55:27 2018

Add UnsizeMedia to struct traits

Bug:  623682 
Change-Id: If6c55c0c3639d01ef6bb5be5f59410591ace44cc
Reviewed-on: https://chromium-review.googlesource.com/902194
Reviewed-by: Ken Buchanan <kenrb@chromium.org>
Commit-Queue: Luna Lu <loonybear@chromium.org>
Cr-Commit-Position: refs/heads/master@{#534468}
[modify] https://crrev.com/bb3d0d5849c9c8e5348da40a4833a52946c67b10/third_party/WebKit/common/feature_policy/feature_policy_struct_traits.h

Comment 54 by addyo@chromium.org, Feb 6 2018

Cc: addyo@chromium.org

Comment 55 by iclell...@chromium.org, Feb 8 2018

Labels: M-60
Status: Fixed (was: Assigned)
Closing as fixed; FP shipped originally in M60, per comment #45.

Comment 56 by sscar...@gmail.com, Jul 16 2018

WebRTC is not included in the Policy Controlled Features list but mentioned here, so has webrtc been added as well ?

Comment 57 by craig.fr...@gmail.com, Jul 16 2018

Not yet.

I'm not a Chrome developer, but I keep an eye on the list of Feature Policy directives that can be used at:

https://cs.chromium.org/chromium/src/third_party/blink/renderer/platform/feature_policy/feature_policy.cc?q=GetDefaultFeatureNameMap&sq=package:chromium&dr=CSs&l=138

As of the 16th July 2018, that list includes...

- camera
- encrypted-media
- fullscreen
- geolocation
- microphone
- midi
- speaker
- sync-xhr
- vr

if (ExperimentalProductivityFeaturesEnabled) {
  - animations
  - document-write
  - image-compression
  - legacy-image-formats
  - max-downscaling-image
  - unsized-media
  - vertical-scroll
}

if (FeaturePolicyAutoplayFeatureEnabled) {
  - autoplay
}

if (PaymentRequestEnabled) {
  - payment
}

if (PictureInPictureAPIEnabled) {
  - picture-in-picture
}

if (SensorEnabled) {
  - accelerometer
  - ambient-light-sensor
  - gyroscope
  - magnetometer
}

if (WebUSBEnabled) {
  - usb
}

Comment 58 by acmesqua...@gmail.com, Jul 16 2018

Is it weird that document-write is enabled for xhtml documents where it's not available at all.

Comment 59 by sscar...@gmail.com, Jul 17 2018

So the list is not conclusive and features are still getting added ?

Comment 60 by craig.fr...@gmail.com, Jul 17 2018

@acmesqua ... Historically document-write was never supported in XHTML (application/xhtml+xml), so what you are seeing is a result of that, rather than the Feature Policy being applied (for reference, I create websites locally in XML mode, to ensure it works to the higher standard, but will relax on Demo and Live):

  <?php
    header('Content-Type: application/xhtml+xml; charset=UTF-8');
  ?>
  <!DOCTYPE html>
  <html lang="en-GB" xml:lang="en-GB" xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <meta charset="UTF-8" />
    <title>Document Write</title>
  </head>
  <body>

    <script type="text/javascript">
    //<![CDATA[
      document.write('hi');
    //]]>
    </script>

  </body>
  </html>

Chrome Console: Uncaught DOMException: Failed to execute 'write' on 'Document': Only HTML documents support write().

Firefox Console: InvalidStateError: An attempt was made to use an object that is not, or is no longer, usable.

As to why the Feature Policy is not disabling document.write in plain HTML documents is presumably because it needs "ExperimentalProductivityFeaturesEnabled".

Comment 61 by craig.fr...@gmail.com, Jul 17 2018

@sscar ... The list is not conclusive at the moment, have a read of:

https://developers.google.com/web/updates/2018/06/feature-policy

Or more precisely:

  So what features can be controlled through Feature Policy?
  
  Right now, there's a lack of documentation on what policies are
  implemented and how to use them. The list will also grow over
  time as different browsers adopt the spec and implement various
  policies. Feature policy will be a moving target and good
  reference docs will definitely be needed.

That said, I've seen it settle down quite a bit, especially after the big update to the spec in Feb 2017:

https://github.com/WICG/feature-policy/commit/7035cd17305a526f48ff60f5e85cc78321bce195

Which is when I believe the description of WebRTC was removed from it, leaving a single example on line 2070 (presumably by mistake):

https://github.com/WICG/feature-policy/blob/7035cd17305a526f48ff60f5e85cc78321bce195/index.html#L2070

Comment 62 by sscar...@gmail.com, Jul 17 2018

Looks like WebRTC won't be getting added in the end, sucks. Thanks for answering my question, though.

Comment 63 by craig.fr...@gmail.com, Jul 17 2018

There was some discussion about WebRTC at:
  https://github.com/WICG/feature-policy/issues/5

Where I wonder if it will be added to CSP instead:
  https://github.com/w3c/webappsec-csp/pull/287
  https://github.com/w3c/webappsec-csp/issues/92

TBH, I kind of think it would be better placed in the CSP, as that focuses on the connections being made (or resources being requested), rather than the features being used.

Comment 64 by iclell...@chromium.org, Jul 17 2018

Thanks for chiming in, craig.fr... -- you're right that the list of features is not final by any means. Feature policy is more of a framework for the web platform, that spec authors and browser vendors can choose to use to enable consistent control over different features.

Re #57, that *is* the list of enabled features for Chrome 68, with the understanding that the FeaturePolicyAutoplayFeature, Sensor, WebUSB, (and PaymentRequest on Android) features are all enabled by default.

There have been more features using the framework with each release since Chrome 60.

sscar..., re: WebRTC -- WebRTC itself is *not* currently controlled by feature policy, but access to the device media streams which it is often used with *is* controlled by the "camera" and "microphone" features.

And this isn't a policy which is set in stone; there's lots of room for discussion still. This launch bug probably isn't the place for it, since it was just tracking all of the bits and pieces that needed to be in place for feature policy to be shipped as part of Chrome in the first place. A better forum would be the issues on GitHub, at https://github.com/WICG/feature-policy/issues, or with the WebRTC standards folks -- I think they maintain their issue lists at https://github.com/w3c/webrtc-pc/issues and https://github.com/w3c/mediacapture-main/issues.

Sign in to add a comment