Feature policy container policy is based on the incorrect origin |
|||||
Issue descriptionAs specced, the container policy generated by an iframe with an allow attribute should refer to the origin of the URL in the iframe's src attribute (See https://wicg.github.io/feature-policy/#iframe-allow-attribute) The current implementation uses the origin of the document being loaded into the frame, which is correct on first load, but incorrect if the frame subsequently navigates without changing the src attribute. We should snapshot the origin of the src attribute URL when it changes, and use that origin when the container policy is constructed.
,
Mar 24 2017
,
Mar 24 2017
The currently plan is to store the value of srcAttr as KURL or string in FrameOwner and use that instead of SecurityOrigin when creating container policy.
,
Mar 24 2017
We could store it as an actual SecurityOrigin, or as an absolute URL in a KURL. Because src could be a relative URL, we will need to make sure that we are storing something that lets us get the actual origin when we need it.
,
Mar 24 2017
Make sense, I will look into the options. I guess we should use whatever is most efficient (memory-wise and speed-wise).
,
Apr 20 2017
https://chromium.googlesource.com/chromium/src/+/92f8c0b3ff53422eb761b53793bac0b424ec45df
,
Jul 18 2017
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by iclell...@chromium.org
, Mar 24 2017