New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 810833 link

Starred by 3 users
Status: Fixed
Owner:
loonyb...@chromium.org
Last visit > 30 days ago
Closed: Jun 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac , Fuchsia
Pri: 3
Type: Bug

Blocking:
issue 703703



Sign in to add a comment

document.policy includes unsupported features

Project Member Reported by iclell...@chromium.org, Feb 9 2018 
The current implementation of document.policy includes all features in the feature policy supported features list, even those which are not recognized in headers/allow.

We should restrict the list of policies reported by document.policy to just those supported in the current renderer, based on runtime flags.

In ToT right now, I see this on a default top-level document:

document.policy.allowedFeatures()
(22) ["geolocation", "midi", "payment", "camera", "usb", "fullscreen", "magnetometer", "cookie", "accelerometer", "vr", "encrypted-media", "autoplay", "domain", "speaker", "docwrite", "unsized-media", "ambient-light-sensor", "gyroscope", "vibrate", "sync-script", "sync-xhr", "microphone"]

I believe that "cookie", "autoplay", "domain", "docwrite", "unsized-media", "vibrate" and "sync-script" should not be in that list, based on my currently-set flags.

Comment 1 by iclell...@chromium.org, Feb 9 2018

Blocking: 703703

Comment 2 by loonyb...@chromium.org, Jun 5 2018

Owner: loonyb...@chromium.org
Status: Assigned (was: Available)

Comment 3 by iclell...@chromium.org, Jun 5 2018 

On ToT (self-reported as 69.0.3451.0), We now have this from a top-level doc, with no additional flags enabled:

(17) ["geolocation", "midi", "payment", "camera", "usb", "fullscreen", "magnetometer", "picture-in-picture", "accelerometer", "vr", "encrypted-media", "autoplay", "speaker", "ambient-light-sensor", "gyroscope", "sync-xhr", "microphone"]

I believe that this corresponds to the shipped features. (With the addition of picture-in-picture, which is being removed before M69 ships.)

In a cross-origin frame, the list is just:

(2) ["picture-in-picture", "sync-xhr"]

Which is also correct, with the same caveat.
Project Member

Comment 4 by bugdroid1@chromium.org, Jun 14 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/ce77e4b6d9bc40b34aa45e2297495ba4376754b0

commit ce77e4b6d9bc40b34aa45e2297495ba4376754b0
Author: Luna Lu <loonybear@chromium.org>
Date: Thu Jun 14 15:33:06 2018

Remove unshipped features from feature policy

Bug:  810833 
Change-Id: Ia001570d879a714c0002c2270ff8273bf046f508
Reviewed-on: https://chromium-review.googlesource.com/1097228
Reviewed-by: Jeremy Roman <jbroman@chromium.org>
Reviewed-by: Ian Clelland <iclelland@chromium.org>
Commit-Queue: Luna Lu <loonybear@chromium.org>
Cr-Commit-Position: refs/heads/master@{#567279}
[modify] https://crrev.com/ce77e4b6d9bc40b34aa45e2297495ba4376754b0/third_party/blink/common/feature_policy/feature_policy.cc
[modify] https://crrev.com/ce77e4b6d9bc40b34aa45e2297495ba4376754b0/third_party/blink/renderer/platform/feature_policy/feature_policy.cc

Comment 5 by loonyb...@chromium.org, Jun 14 2018

Status: Fixed (was: Assigned)

Sign in to add a comment